Abstract
Anomaly detection is based on profiles that represent normal behaviour of users, hosts or networks and detects attacks as significant deviations from these profiles. In the paper we propose a methodology based on the application of several data mining methods for the construction of the “normal” model of the ingoing traffic of a department-level network. The methodology returns a daily model of the network traffic as a result of four main steps: first, daily network connections are reconstructed from TCP/IP packet headers passing through the firewall and represented by means of feature vectors; second, network connections are grouped by applying a clustering method; third, clusters are described as sets of rules generated by a supervised inductive learning algorithm; fourth, rules are transformed into symbolic objects and similarities between symbolic objects are computed for each couple of days. The result is a longitudinal model of the similarity of network connections that can be used by a network administrator to identify deviations in network traffic patterns that may demand for his/her attention. The proposed methodology has been tested on log files of the firewall of our University Department.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Lazarević, A., Srivastava, J., Kumar, V.: Tutorial on the Pacific-Asia Conference on Knowledge Discovery in Databases (2003)
Axelsson, S.: IDS: A Survey and a Taxonomy (2000)
Bridges, S., Vaughn, R.: Intrusion Detection via Fuzzy Data Mining (2000)
Barbara, D., et al.: ADAM: A Testbed for Exploring the Use of Data Mining in Intrusion Detection. In: SIGMOD 2001 (2001)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion Detection Using Sequences of System Calls. Journal of Computer Security 6, 151–180 (1998)
Lee, W., Stolfo, S.J.: Data Mining approach for Intrusion Detection. In: Proceedings of the 1998 USENIX Security Symposium (1998)
Ghosh, A., Schwartzbard, A.: A Study in Using Neural Networks for Anomaly and Misuse Detection. In: Proceedings of the 8th USENIX Security Symposium (1999)
Lane, T., Brodley, C.E.: Sequence Matching and Learning in Anomaly Detection for Computer Security. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, pp. 43–49. AAAI Press, Menlo Park (1997)
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using Systems Calls: Alternative Data Models. In: IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)
Milligan, G.W.: Clustering Validation: Results and Implications for Applied Analyses. World Scientific Publications, River Edge (1996)
Fayyad, U., Piatetsky-Shapiro, G., Smyth, P., Uthurusamy, R.: Advances in knowledge discovery and data mining. AAAI Press/ The MIT Press (1996)
Michalski, R.S., Stepp, R.E.: Learning from Observation: Conceptual Clustering. In: Michalski, R.S., Carbonell, J.G., Michell, T.M. (eds.) Machine Learning: An Artificial Intelligence Approach, pp. 331–363. Morgan Kauffmann, San Mateo (1983)
Fisher, D.H.: Knowledge Acquisition via Incremental Conceptual Clustering. Machine Learning 2, 139–172 (1987)
Witten, I., Frank, E.: Generate Accurate Rule Sets Without Global Optimisation. In: Machine Learning: Proceedings of the 15th International Conference. Morgan Kaufmann Publishers, San Francisco (1998)
Bock, H.H., Diday, E.: Symbolic Objects. In: Bock, H.H., Diday, E. (eds.) Analysis of Symbolic Data. Exploratory Methods for extracting Statistical Information from Complex Data, Series: Studies in Classification, Data Analysis, and Knowledge Organisation, vol. 15, pp. 54–77. Springer, Berlin (2000)
Esposito, F., Malerba, D., Tamma, V.: Dissimilarity Measures for Symbolic Objects. In: Bock, H.-H., Diday, E. (eds.) Analysis of Symbolic Data. Exploratory methods for extracting statistical information from complex data, Series: Studies in Classification, Data Analysis, and Knowledge Organization, ch. 8.3, vol. 15, pp. 165–185. Springer, Berlin (2000)
Gowda, K.C., Diday, E.: Symbolic Clustering Using a New Dissimilarity Measure. Pattern Recognition 24(6), 567–578 (1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Caruso, C., Malerba, D., Papagni, D. (2005). Learning the Daily Model of Network Traffic. In: Hacid, MS., Murray, N.V., Raś, Z.W., Tsumoto, S. (eds) Foundations of Intelligent Systems. ISMIS 2005. Lecture Notes in Computer Science(), vol 3488. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11425274_14
Download citation
DOI: https://doi.org/10.1007/11425274_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25878-0
Online ISBN: 978-3-540-31949-8
eBook Packages: Computer ScienceComputer Science (R0)