论文信息 - Network Anomalous Attack Detection Based on Clustering and Classifier

Network Anomalous Attack Detection Based on Clustering and Classifier

A new approach to detect anomalous behaviors in network traffic is presented. The network connection records were mapped into different feature spaces according to their protocols and services. Then performed clustering to group training data points into clusters, from which some clusters were selected as normal and known-attack profile. For those training data excluded from the profile, we used them to build a specific classifier. The classifier has two distinct characteristics: one is that it regards each data point in the feature space with the limited influence scope, which is served as the decisive bounds of the classifier, and the other is that it has the "default" label to recognize those novel attacks. The new method was tested on the KDD Cup 1999 data. Experimental results show that it is superior to other data mining based approaches in detection performance, especially in detection of PROBE and U2R attacks.

Yi Lu | Hongyu Yang | Feng Xie

[1] Rajeev Rastogi,et al. Efficient algorithms for mining outliers from large data sets , 2000, SIGMOD 2000.

[2] Sushil Jajodia,et al. ADAM: a testbed for exploring the use of data mining in intrusion detection , 2001, SGMD.

[3] J. MacQueen. Some methods for classification and analysis of multivariate observations , 1967 .

[4] Leonid Portnoy,et al. Intrusion detection with unlabeled data using clustering , 2000 .

[5] Eleazar Eskin,et al. A GEOMETRIC FRAMEWORK FOR UNSUPERVISED ANOMALY DETECTION: DETECTING INTRUSIONS IN UNLABELED DATA , 2002 .

[6] Christopher Leckie,et al. Adaptive Clustering for Network Intrusion Detection , 2004, PAKDD.

[7] Christopher Leckie,et al. Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters , 2005, ACSC.

[8] Qiang Chen,et al. An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems , 2001 .