Skip to main content
SpringerLink
Log in

Sub-Space Clustering and Evidence Accumulation for Unsupervised Network Anomaly Detection

  • Conference paper
Traffic Monitoring and Analysis (TMA 2011)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 6613))

Included in the following conference series:

Abstract

Network anomaly detection has been a hot research topic for many years. Most detection systems proposed so far employ a supervised strategy to accomplish the task, using either signature-based detection methods or supervised-learning techniques. However, both approaches present major limitations: the former fails to detect unknown anomalies, the latter requires training and labeled traffic, which is difficult and expensive to produce. Such limitations impose a serious bottleneck to the development of novel and applicable methods in the near future network scenario, characterized by emerging applications and new variants of network attacks. This work introduces and evaluates an unsupervised approach to detect and characterize network anomalies, without relying on signatures, statistical training, or labeled traffic. Unsupervised detection is accomplished by means of robust data-clustering techniques, combining Sub-Space Clustering and multiple Evidence Accumulation algorithms to blindly identify anomalous traffic flows. Unsupervised characterization is achieved by exploring inter-flows structure from multiple outlooks, building filtering rules to describe a detected anomaly. Detection and characterization performance of the unsupervised approach is extensively evaluated with real traffic from two different data-sets: the public MAWI traffic repository, and the METROSEC project data-set. Obtained results show the viability of unsupervised network anomaly detection and characterization, an ambitious goal so far unmet.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Barford, P., et al.: A Signal Analysis of Network Traffic Anomalies. In: Proc. ACM IMW (2002)

    Google Scholar 

  2. Brutlag, J.: Aberrant Behavior Detection in Time Series for Network Monitoring. In: Proc. 14th Systems Administration Conference (2000)

    Google Scholar 

  3. Krishnamurthy, B., et al.: Sketch-based Change Detection: Methods, Evaluation, and Applications. In: Proc. ACM IMC (2003)

    Google Scholar 

  4. Soule, A., et al.: Combining Filtering and Statistical Methods for Anomaly Detection. In: Proc. ACM IMC (2005)

    Google Scholar 

  5. Cormode, G., et al.: What’s New: Finding Significant Differences in Network Data Streams. IEEE Trans. on Networking 13(6), 1219–1232 (2005)

    Article  Google Scholar 

  6. Dewaele, G., et al.: Extracting Hidden Anomalies using Sketch and non Gaussian Multiresolution Statistical Detection Procedures. In: Proc. SIGCOMM LSAD (2007)

    Google Scholar 

  7. Lakhina, A., et al.: Diagnosing Network-Wide Traffic Anomalies. In: Proc. ACM SIGCOMM (2004)

    Google Scholar 

  8. Parsons, L., et al.: Subspace Clustering for High Dimensional Data: a Review. ACM SIGKDD Expl. Newsletter 6(1), 90–105 (2004)

    Article  Google Scholar 

  9. Fred, A., et al.: Combining Multiple Clusterings Using Evidence Accumulation. IEEE Trans. Pattern Anal. and Machine Intel. 27(6), 835–850 (2005)

    Article  Google Scholar 

  10. Jain, A.K.: Data Clustering: 50 Years Beyond K-Means. Pattern Recognition Letters 31(8), 651–666 (2010)

    Article  Google Scholar 

  11. Portnoy, L., et al.: Intrusion Detection with Unlabeled Data Using Clustering. In: Proc. ACM DMSA Workshop (2001)

    Google Scholar 

  12. Eskin, E., et al.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Apps. of Data Mining in Comp. Sec., Kluwer Publisher, Dordrecht (2002)

    Google Scholar 

  13. Leung, K., et al.: Unsupervised Anomaly Detection in Network Intrusion Detection Using Clustering. In: Proc. ACSC 2005 (2005)

    Google Scholar 

  14. Fernandes, G., et al.: Automated Classification of Network Traffic Anomalies. In: Proc. SecureComm 2009 (2009)

    Google Scholar 

  15. Strehl, A., et al.: Cluster Ensembles - A Knowledge Reuse Framework For Combining Multiple Partitions. Jour. Mach. Learn. Res. 3, 583–617 (2002)

    MathSciNet  MATH  Google Scholar 

  16. Ester, M., et al.: A Density-based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In: Proc. ACM SIGKDD (1996)

    Google Scholar 

  17. Cho, K., et al.: Data Repository at the WIDE Project. In: USENIX ATC (2000)

    Google Scholar 

  18. METROlogy for SECurity and QoS, http://laas.fr/METROSEC

Download references

Author information

Authors and Affiliations

  1. CNRS; LAAS, 7 avenue du colonel Roche, F-31077, Toulouse Cedex 4, France

    Johan Mazel, Pedro Casas & Philippe Owezarski

  2. UPS, INSA, INP, ISAE; UT1, UTM, LAAS, Universite de Toulouse, F-31077, Toulouse Cedex 4, France

    Johan Mazel, Pedro Casas & Philippe Owezarski

Authors
  1. Johan Mazel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pedro Casas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Philippe Owezarski
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Universitat Politècnica de Catalunya (UPC) - Barcelona TECH, Campus Nord, Mòdul D6, Jordi Girona 1-3, 08034, Barcelona, Spain

    Jordi Domingo-Pascual

  2. The Iby and Aladar Fleischman Faculty of Engineering, School of Electrical Engineering, Tel Aviv University, Wolfson Building for Software Engineering, 69978, Ramat Aviv, Israel

    Yuval Shavitt

  3. An-Institut Deutsche Telekom Laboratories, FG INET, Research Group Anja Feldmann, Technische Universität Berlin, Sekr. TEL 16, Ernst-Reuter-Platz 7, 10587, Berlin, Germany

    Steve Uhlig

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mazel, J., Casas, P., Owezarski, P. (2011). Sub-Space Clustering and Evidence Accumulation for Unsupervised Network Anomaly Detection. In: Domingo-Pascual, J., Shavitt, Y., Uhlig, S. (eds) Traffic Monitoring and Analysis. TMA 2011. Lecture Notes in Computer Science, vol 6613. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-20305-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-20305-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-20304-6

  • Online ISBN: 978-3-642-20305-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation