Automated Feature Weighting for Network Anomaly Detection

Summary A number of network features is used to describe normal and intrusive traffic patterns. However the choice of features is dependent on which pattern to be detected. In order to identify which network features are more important for a particular network pattern, we propose an automated feature weighting method based on a fuzzy subspace approach to vector quantization modeling that can assign a weight to each feature when network models are trained. The proposed method not only increases the detection rate but also reduces false alarm rate as presented in our experiments.

[1]  Ross Anderson,et al.  The Use of Information Retrieval Techniques for Intrusion Detection , 1997 .

[2]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[3]  Eugene H. Spafford,et al.  An architecture for intrusion detection using autonomous agents , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[4]  D. Tran,et al.  Fuzzy entropy clustering , 2000, Ninth IEEE International Conference on Fuzzy Systems. FUZZ- IEEE 2000 (Cat. No.00CH37063).

[5]  Eleazar Eskin,et al.  Anomaly Detection over Noisy Data using Learned Probability Distributions , 2000, ICML.

[6]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[7]  Philip K. Chan,et al.  PHAD: packet header anomaly detection for identifying hostile network traffic , 2001 .

[8]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[9]  Jim Alves-Foss,et al.  NATE: Network Analysis of Anomalous Traffic Events, a low-cost approach , 2001, NSPW '01.

[10]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[11]  Jim Alves-Foss,et al.  An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events , 2002, NSPW '02.

[12]  Joseph S. Sherif,et al.  Intrusion detection: methods and systems. Part II , 2003, Inf. Manag. Comput. Secur..

[13]  Philip K. Chan,et al.  A Machine Learning Approach to Anomaly Detection , 2003 .

[14]  Matthew V. Mahoney,et al.  Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[15]  Xiangyang Li,et al.  Mining Normal and Intrusive Activity Patterns for Computer Intrusion Detection , 2004, ISI.

[16]  Donato Malerba,et al.  Clustering As An Add-on For Firewalls , 2004 .

[17]  Dirk Ourston,et al.  Coordinated Internet attacks: responding to attack complexity , 2004, J. Comput. Secur..

[18]  Michael K. Ng,et al.  Automated variable weighting in k-means type clustering , 2005, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[19]  Yi Lu,et al.  Clustering and Classification Based Anomaly Detection , 2006, FSKD.

[20]  Yasser Yasami,et al.  An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks , 2007, 2007 Second International Conference on Systems and Networks Communications (ICSNC 2007).

[21]  Wanli Ma,et al.  Fuzzy Vector Quantization for Network Intrusion Detection , 2007 .

[22]  Stephen T. C. Wong,et al.  Modeling methods for cell phase classification , 2007 .

[23]  Wanli Ma,et al.  Fuzzy Vector Quantization for Network Intrusion Detection , 2007, 2007 IEEE International Conference on Granular Computing (GRC 2007).

[24]  Wenke Lee,et al.  Cost-based Modeling and Evaluation for Data Mining With Application to Fraud and Intrusion Detection : Results from the JAM Project ∗ , 2008 .