Labelling Clusters in an Intrusion Detection System Using a Combination of Clustering Evaluation Techniques

A new clusters labelling strategy, which combines the computation of the Davies-Bouldin index of the clustering and the centroid diameters of the clusters is proposed for application in anomaly based intrusion detection systems (IDS). The aim of such a strategy is to detect compact clusters containing very similar vectors and these are highly likely to be attack vectors. Experimental results comparing the effectiveness of a multiple classifier IDS with such a labelling strategy and that of the classical cardinality labelling based IDS show that the proposed strategy behaves much better in a heavily attacked environment where massive attacks are present. The parameters of the labelling algorithm can be varied in order to adapt to the conditions in the monitored network.

[1]  Greg Shipley,et al.  Intrusion Detection, take two , 1999 .

[2]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[3]  Zied Elouedi,et al.  Naive Bayes vs decision trees in intrusion detection systems , 2004, SAC '04.

[4]  Hans-Werner Braun,et al.  The NLANR network analysis infrastructure , 2000, IEEE Commun. Mag..

[5]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[6]  Henk Sol,et al.  Proceedings of the 54th Hawaii International Conference on System Sciences , 1997, HICSS 2015.

[7]  Charles Elkan,et al.  Results of the KDD'99 classifier learning , 2000, SKDD.

[8]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[9]  Richard P. Lippmann,et al.  An Overview of Issues in Testing Intrusion Detection Systems , 2003 .

[10]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[11]  Greg Shipley,et al.  Cover story: dragon claws its way to the top , 2001 .

[12]  Oliver Niggemann,et al.  Supporting Intrusion Detection by Graph Clustering and Graph Drawing , 2000 .

[13]  Tansel Özyer,et al.  A Boosting Genetic Fuzzy Classifier for Intrusion Detection Using Data Mining Techniques for Rule Pre-screening , 2003, HIS.

[14]  Horst Bunke,et al.  Validation indices for graph clustering , 2003, Pattern Recognit. Lett..

[15]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[16]  Fabio A. González,et al.  An immuno-fuzzy approach to anomaly detection , 2003, The 12th IEEE International Conference on Fuzzy Systems, 2003. FUZZ '03..

[17]  Ali A. Ghorbani,et al.  Y-means: a clustering method for intrusion detection , 2003, CCECE 2003 - Canadian Conference on Electrical and Computer Engineering. Toward a Caring and Humane Technology (Cat. No.03CH37436).

[18]  Jim Alves-Foss,et al.  An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events , 2002, NSPW '02.

[19]  Gürsel Serpen,et al.  Application of Machine Learning Algorithms to KDD Intrusion Detection Dataset within Misuse Detection Context , 2003, MLMTA.

[20]  Fabio Roli,et al.  Pattern Recognition for Intrusion Detection in Computer Networks , 2003 .

[21]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[22]  Francisco Azuaje,et al.  Cluster validation techniques for genome expression data , 2003, Signal Process..

[23]  Biswanath Mukherjee,et al.  A Software Platform for Testing Intrusion Detection Systems , 1997, IEEE Softw..

[24]  Harold Joseph Highland,et al.  The 17th NSCS abstructArtificial Intelligence and Intrusion Detection: Current and Future Directions : Jeremy Frank, University of California, Davis, CA , 1995 .

[25]  Eric Miller,et al.  Testing and evaluating computer intrusion detection systems , 1999, CACM.