Mining Normal and Intrusive Activity Patterns for Computer Intrusion Detection

Li, Xiangyang; Ye, Nong

doi:10.1007/978-3-540-25952-7_17

Xiangyang Li¹⁹ &
Nong Ye²⁰

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3073))

Included in the following conference series:

International Conference on Intelligence and Security Informatics

1621 Accesses
4 Citations

Abstract

Intrusion detection has become an important part of assuring the computer security. It borrows various algorithms from statistics, machine learning, etc. We introduce in this paper a supervised clustering and classification algorithm (CCAS) and its application in learning patterns of normal and intrusive activities and detecting suspicious activity records. This algorithm utilizes a heuristic in grid-based clustering. Several post-processing techniques including data redistribution, supervised grouping of clusters, and removal of outliers, are used to enhance the scalability and robustness. This algorithm is applied to a large set of computer audit data for intrusion detection. We describe the analysis method in using this data set. The results show that CCAS makes significant improvement in performance with regard to detection ability and robustness.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Computer Networks 31, 805–822 (1999)
Article Google Scholar
Ester, M., Kriegel, H.P., Sander, J., Wimmer, M., Xu, X.: Incremental clustering for mining in a data warehousing environment. In: Proc 24th VLDB Conference, New York, USA (1998)
Google Scholar
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proc 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 120–128 (1996)
Google Scholar
Harsha, S.G., Choudhary, A.: Parallel subspace clustering for very large data sets. Technical Report, CPDC-TR-9906-010. Northwestern University (1999)
Google Scholar
Huang, C., Bi, Q., Stiles, R., Harris, R.: Fast full search equivalent encoding algorithms for image compression using vector quantization. IEEE Transactions on Image Processing 1(3), 413–416 (1992)
Article Google Scholar
Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall, Englewood Cliffs (1988)
MATH Google Scholar
Lee, W., Stolfo, S.J., Mok, K.: A data mining framework for building intrusion detection models. In: Proc 1999 IEEE Symposium on Security and Privac., pp. 120–132 (1999)
Google Scholar
Li, X., Ye, N.: Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices 4(2) (2003)
Google Scholar
Li, X., Ye, N.: Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection. Quality and Reliability Engineering International 18(3) (2002)
Google Scholar
Mitchell, T.: Machine Learning. WCB/McGraw-Hill (1997)
Google Scholar
Ryan, T.P.: Statistical Methods for Quality Improvement. John Wiley & Sons, New York (1989)
Google Scholar
Sheikholeslami, G., Chatterjee, S., Zhang, A.: WaveCluster: A multi-resolution clustering approach for very large spatial databases. In: Proc 24th VLDB Conference, New York, USA (1998)
Google Scholar
Sinclair, C., Pierce, L., Matzner, S.: An application of machine learning to network intrusion detection. In: Proc 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 371–377 (1999)
Google Scholar
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 80. Springer, Heidelberg (2000)
Chapter Google Scholar
Ye, N., Li, X., Emran, S.M.: Decision trees for signature recognition and state classification. In: Proc First IEEE SMC Information Assurance and Security Workshop, pp. 189–194 (2000)
Google Scholar
Zhang, T.: Data Clustering for Very Large Datasets plus Applications. Ph.D. Thesis. Department of Computer Science, University of Wisconsin – Madison (1997)
Google Scholar

Download references

Author information

Authors and Affiliations

University of Michigan – Dearborn, 4901 Evergreen Rd., Dearborn, Michigan, 48128, USA
Xiangyang Li
Arizona State University, Box 875906, Tempe, Arizona, 85287, USA
Nong Ye

Authors

Xiangyang Li
View author publications
You can also search for this author in PubMed Google Scholar
Nong Ye
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Management Information Systems, Eller College of Management,, The University of Arizona, AZ 85721, USA
Hsinchun Chen
San Diego Supercomputer Center, 9500 Gilman Drive, CA 92093-0505, La Jolla, USA
Reagan Moore
MIS Department, University of Arizona, AZ 85721, Tucson, USA
Daniel D. Zeng
Tucson Police Department, 270 S. Stone Avenue, AZ 85701, Tucson, USA
John Leavitt

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Li, X., Ye, N. (2004). Mining Normal and Intrusive Activity Patterns for Computer Intrusion Detection. In: Chen, H., Moore, R., Zeng, D.D., Leavitt, J. (eds) Intelligence and Security Informatics. ISI 2004. Lecture Notes in Computer Science, vol 3073. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-25952-7_17

Download citation

DOI: https://doi.org/10.1007/978-3-540-25952-7_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22125-8
Online ISBN: 978-3-540-25952-7
eBook Packages: Springer Book Archive

Publish with us

Policies and ethics