Abstract
Intrusion detection has become an important part of assuring the computer security. It borrows various algorithms from statistics, machine learning, etc. We introduce in this paper a supervised clustering and classification algorithm (CCAS) and its application in learning patterns of normal and intrusive activities and detecting suspicious activity records. This algorithm utilizes a heuristic in grid-based clustering. Several post-processing techniques including data redistribution, supervised grouping of clusters, and removal of outliers, are used to enhance the scalability and robustness. This algorithm is applied to a large set of computer audit data for intrusion detection. We describe the analysis method in using this data set. The results show that CCAS makes significant improvement in performance with regard to detection ability and robustness.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Computer Networks 31, 805–822 (1999)
Ester, M., Kriegel, H.P., Sander, J., Wimmer, M., Xu, X.: Incremental clustering for mining in a data warehousing environment. In: Proc 24th VLDB Conference, New York, USA (1998)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. In: Proc 1996 IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 120–128 (1996)
Harsha, S.G., Choudhary, A.: Parallel subspace clustering for very large data sets. Technical Report, CPDC-TR-9906-010. Northwestern University (1999)
Huang, C., Bi, Q., Stiles, R., Harris, R.: Fast full search equivalent encoding algorithms for image compression using vector quantization. IEEE Transactions on Image Processing 1(3), 413–416 (1992)
Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall, Englewood Cliffs (1988)
Lee, W., Stolfo, S.J., Mok, K.: A data mining framework for building intrusion detection models. In: Proc 1999 IEEE Symposium on Security and Privac., pp. 120–132 (1999)
Li, X., Ye, N.: Decision tree classifiers for computer intrusion detection. Journal of Parallel and Distributed Computing Practices 4(2) (2003)
Li, X., Ye, N.: Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection. Quality and Reliability Engineering International 18(3) (2002)
Mitchell, T.: Machine Learning. WCB/McGraw-Hill (1997)
Ryan, T.P.: Statistical Methods for Quality Improvement. John Wiley & Sons, New York (1989)
Sheikholeslami, G., Chatterjee, S., Zhang, A.: WaveCluster: A multi-resolution clustering approach for very large spatial databases. In: Proc 24th VLDB Conference, New York, USA (1998)
Sinclair, C., Pierce, L., Matzner, S.: An application of machine learning to network intrusion detection. In: Proc 15th Annual Computer Security Applications Conference (ACSAC 1999), pp. 371–377 (1999)
Valdes, A., Skinner, K.: Adaptive, model-based monitoring for cyber attack detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, p. 80. Springer, Heidelberg (2000)
Ye, N., Li, X., Emran, S.M.: Decision trees for signature recognition and state classification. In: Proc First IEEE SMC Information Assurance and Security Workshop, pp. 189–194 (2000)
Zhang, T.: Data Clustering for Very Large Datasets plus Applications. Ph.D. Thesis. Department of Computer Science, University of Wisconsin – Madison (1997)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, X., Ye, N. (2004). Mining Normal and Intrusive Activity Patterns for Computer Intrusion Detection. In: Chen, H., Moore, R., Zeng, D.D., Leavitt, J. (eds) Intelligence and Security Informatics. ISI 2004. Lecture Notes in Computer Science, vol 3073. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-25952-7_17
Download citation
DOI: https://doi.org/10.1007/978-3-540-25952-7_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22125-8
Online ISBN: 978-3-540-25952-7
eBook Packages: Springer Book Archive