论文信息 - Incremental Clustering for Semi-Supervised Anomaly Detection applied on Log Data

Incremental Clustering for Semi-Supervised Anomaly Detection applied on Log Data

Anomaly detection based on white-listing and self-learning has proven to be a promising approach to detect customized and advanced cyber attacks. Anomaly detection aims at detecting significant deviations from normal system and network behavior. A well-known method to classify anomalous and normal system behavior is clustering of log lines. However, this approach has been applied for forensic purposes only, where log data dumps are investigated retrospectively. In order to make this concept applicable for on-line anomaly detection, i.e., at the time the log lines are produced, some major extensions to existing approaches are required. Especially distance based clustering approaches usually fail building the required large distance matrices and rely on time-consuming recalculations of the cluster-map on every arriving log line. An incremental clustering approach seems suitable to solve this issues. Thus, we introduce a semi-supervised concept for incremental clustering of log data that builds the basis for a novel on-line anomaly detection solution based on log data streams. Its operation is independent from the syntax and semantics of the processed log lines, which makes it generally applicable. We demonstrate that that the introduced anomaly detection approach allows to achieve both a high recall and a high precision while maintaining linear complexity.

[1] Mihai Pop,et al. DNACLUST: accurate and efficient clustering of phylogenetic marker genes , 2011, BMC Bioinformatics.

[2] Jonathon Shlens,et al. A Tutorial on Principal Component Analysis , 2014, ArXiv.

[3] Karen A. Scarfone,et al. Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[4] Risto Vaarandi,et al. A data clustering algorithm for mining patterns from event logs , 2003, Proceedings of the 3rd IEEE Workshop on IP Operations & Management (IPOM 2003) (IEEE Cat. No.03EX764).

[5] Seiichi Uchida,et al. A Comparative Evaluation of Unsupervised Anomaly Detection Algorithms for Multivariate Data , 2016, PloS one.

[6] Florian Skopik,et al. Semi-synthetic data set generation for security software evaluation , 2014, 2014 Twelfth Annual International Conference on Privacy, Security and Trust.

[7] Matthew A. Jaro,et al. Advances in Record-Linkage Methodology as Applied to Matching the 1985 Census of Tampa, Florida , 1989 .

[8] VARUN CHANDOLA,et al. Anomaly detection: A survey , 2009, CSUR.

[9] Jonathan Goldstein,et al. When Is ''Nearest Neighbor'' Meaningful? , 1999, ICDT.

[10] Wael Hassan Gomaa,et al. A Survey of Text Similarity Approaches , 2013 .

[11] Pavel Berkhin,et al. A Survey of Clustering Data Mining Techniques , 2006, Grouping Multidimensional Data.