Skip to main content
SpringerLink
Log in

Unsupervised Clustering Approach for Network Anomaly Detection

  • Conference paper
Networked Digital Technologies (NDT 2012)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 293))

Included in the following conference series:

Abstract

This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naïve Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Gudadhe, M., Prasad, P., Wankhade, K.: A new data mining based network intrusion detection model. In: International Conference on Computer & Communication Technology (ICCCT 2010), pp. 731–735 (2010)

    Google Scholar 

  2. Panda, M., Patra, M.R.: Ensemble of Classifiers for Detecting Network Intrusion. In: International Conference on Advances in Computing, Communication and Control (ICAC3 2009), pp. 510–515 (2009)

    Google Scholar 

  3. Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: Techniques, systems and challenges. Computer & Security 28(1-2), 18–28 (2009)

    Article  Google Scholar 

  4. Davis, J.J., Clark, A.J.: Data preprocessing for anomaly based network intrusion detection: A review. Computer & Security 30(6-7), 353–375 (2011)

    Article  Google Scholar 

  5. Patcha, A., Park, J.-M.: An Overview of Anomaly Detection Techniques: Existing Solutions and Latest Technological Trends. Computer Networks 51(12), 3448–3470 (2007)

    Article  Google Scholar 

  6. Chandola, V., Banarjee, A., Kumar, V.: Anomaly Detection: A Survey. ACM Computing Survey Journal 41(3) (2009)

    Google Scholar 

  7. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Proceedings of the Seventeenth International Conference on Machine Learning, pp. 255–262. Morgan Kaufmann Publichsers Inc. (2000)

    Google Scholar 

  8. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceeding ACM Workshop on Data Mining Applied to Security (2001)

    Google Scholar 

  9. DARPA Intrusion Detection Data Sets, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html

  10. KDD Cup 1999 Intrusion Data Sets, http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

  11. Tavallaee, M., Bagheri, E., Lu, W., Ghorbani, A.: A Detailed Analysis of the KDD CUP 99 Data Set. In: Submitted to Second IEEE Symposium on Computational Intelligence for Security and Defense Applications, CISDA (2009)

    Google Scholar 

  12. Whitman, M.E., Mattord, H.J.: Principles of Information Security. Course Technology, 4th edn. (2011) ISBN: 1111138214

    Google Scholar 

  13. Vermurugan, T., Santhanam, T.: Computational Complexity between K-Means and K-Medoids Clustering Algorithms for Normal and Uniform Distributions of Data Points. Journal of Computer Science 6(3), 363–368 (2010)

    Article  Google Scholar 

  14. Seetha, J., Varadharajan, R., Vaithiyananthan, V.: Unsupervised Learning Algorithm for Color Texture Segmentation Based Multiscale Image Fusion. European Journal of Scientific Research 67, 506–511 (2012) ISSN 1450-216X

    Google Scholar 

  15. Lu, W., Tong, H.: Detecting Network Anomalies Using CUSUM and EM Clustering. In: Cai, Z., Li, Z., Kang, Z., Liu, Y. (eds.) ISICA 2009. LNCS, vol. 5821, pp. 297–308. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  16. Knorr, E.M., Ng, R.T.: Finding intensional knowledge of distance-based outliers. In: VLDB 1999: 25th Int. Conf. on Very Large Data Bases, San Francisco, pp. 211–222 (1999)

    Google Scholar 

  17. Orair, G.H., Teixeira, C.H.C., Meira Jr., W., Wang, Y., Parthasarathy, S.: Distance-based Outlier Detection: Consolidation and Renewed Bearing. In: The 36th Int. Conf. on Very Large Data Bases, Singapore (September 2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Electronics and Computer Science, University of Southampton, UK

    Iwan Syarif, Adam Prugel-Bennett & Gary Wills

  2. Eletronics Engineering, Polytechnics Institute of Surabaya, Indonesia

    Iwan Syarif

Authors
  1. Iwan Syarif
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adam Prugel-Bennett
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gary Wills
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Software Engineering, Faculty of Engineering, Lakehead University, 955 Oliver Rd., P7B 5E1, Thunder Bay, Ontario, Canada

    Rachid Benlamri

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Syarif, I., Prugel-Bennett, A., Wills, G. (2012). Unsupervised Clustering Approach for Network Anomaly Detection. In: Benlamri, R. (eds) Networked Digital Technologies. NDT 2012. Communications in Computer and Information Science, vol 293. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30507-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-30507-8_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30506-1

  • Online ISBN: 978-3-642-30507-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation