Data Clustering for Anomaly Detection in Network Intrusion Detection

Intrusions pose a serious security risk in a network environment. Network intrusion detection systems aim to identify attacks or malicious activity in a network with a high detection rate while maintaining a low false alarm rate. New emerging threats or attacks are the most di cult to detect. Signature based methods and misuse detection methods, which rely on labeled patterns, can detect previously known attacks with good accuracy but are unable to detect new types of attacks. In addition, maintaining the signature data base and labeling the patterns is time consuming and expensive. Anomaly detection techniques can make use of unsupervised learning methods to identify new emerging threats with no need of labeled patterns, but, with a potential false alarm rate. We reviewed the di erent network intrusion detection methods and present here a comparative study with more emphasis on the unsupervised learning methods for anomaly detection. The Kmeans algorithm was chosen to evaluate the performance of an unsupervised learning method for anomaly detection using the Kdd Cup 1999 network data set. The results of the evaluation con rm that a high detection rate can be achieve while maintaining a low false alarm rate.