An anomaly intrusion detection method by clustering normal user behavior

Sang Hyun Oh, Won Suk Lee

Research output: Contribution to journalComment/debate

82 Citations (Scopus)

Abstract

For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques or frequent episode mining in order to analyze an audit data set. However, since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. This paper proposes an anomaly detection method which utilizes a clustering algorithm for modeling the normal behavior of a user's activities in a host. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Consequently, it can model the frequent activities of a user more accurately than the statistical analysis does. The common knowledge of activities in the transactions of a user is represented by the occurrence frequency of similar activities by the unit of a transaction as well as the repetitive ratio of similar activities in each transaction. The proposed method also addresses how to maintain identified common knowledge as a concise profile. Furthermore, this paper addresses the selection of good features that can improve the detection rate of anomalous behavior in an on-line transaction.

Original languageEnglish
Pages (from-to)596-612
Number of pages17
JournalComputers and Security
Volume22
Issue number7
DOIs
Publication statusPublished - 2003 Jan 1

Fingerprint

Intrusion detection
Statistical methods
transaction
Clustering algorithms
common knowledge
statistical analysis
audit

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Law

Cite this

@article{4818124606de49d0a075f303da6cfdbf,
title = "An anomaly intrusion detection method by clustering normal user behavior",
abstract = "For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques or frequent episode mining in order to analyze an audit data set. However, since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. This paper proposes an anomaly detection method which utilizes a clustering algorithm for modeling the normal behavior of a user's activities in a host. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Consequently, it can model the frequent activities of a user more accurately than the statistical analysis does. The common knowledge of activities in the transactions of a user is represented by the occurrence frequency of similar activities by the unit of a transaction as well as the repetitive ratio of similar activities in each transaction. The proposed method also addresses how to maintain identified common knowledge as a concise profile. Furthermore, this paper addresses the selection of good features that can improve the detection rate of anomalous behavior in an on-line transaction.",
author = "Oh, {Sang Hyun} and Lee, {Won Suk}",
year = "2003",
month = "1",
day = "1",
doi = "10.1016/S0167-4048(03)00710-7",
language = "English",
volume = "22",
pages = "596--612",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",
number = "7",

}

An anomaly intrusion detection method by clustering normal user behavior. / Oh, Sang Hyun; Lee, Won Suk.

In: Computers and Security, Vol. 22, No. 7, 01.01.2003, p. 596-612.

Research output: Contribution to journalComment/debate

TY - JOUR

T1 - An anomaly intrusion detection method by clustering normal user behavior

AU - Oh, Sang Hyun

AU - Lee, Won Suk

PY - 2003/1/1

Y1 - 2003/1/1

N2 - For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques or frequent episode mining in order to analyze an audit data set. However, since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. This paper proposes an anomaly detection method which utilizes a clustering algorithm for modeling the normal behavior of a user's activities in a host. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Consequently, it can model the frequent activities of a user more accurately than the statistical analysis does. The common knowledge of activities in the transactions of a user is represented by the occurrence frequency of similar activities by the unit of a transaction as well as the repetitive ratio of similar activities in each transaction. The proposed method also addresses how to maintain identified common knowledge as a concise profile. Furthermore, this paper addresses the selection of good features that can improve the detection rate of anomalous behavior in an on-line transaction.

AB - For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques or frequent episode mining in order to analyze an audit data set. However, since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. This paper proposes an anomaly detection method which utilizes a clustering algorithm for modeling the normal behavior of a user's activities in a host. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Consequently, it can model the frequent activities of a user more accurately than the statistical analysis does. The common knowledge of activities in the transactions of a user is represented by the occurrence frequency of similar activities by the unit of a transaction as well as the repetitive ratio of similar activities in each transaction. The proposed method also addresses how to maintain identified common knowledge as a concise profile. Furthermore, this paper addresses the selection of good features that can improve the detection rate of anomalous behavior in an on-line transaction.

UR - http://www.scopus.com/inward/record.url?scp=0242468747&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0242468747&partnerID=8YFLogxK

U2 - 10.1016/S0167-4048(03)00710-7

DO - 10.1016/S0167-4048(03)00710-7

M3 - Comment/debate

AN - SCOPUS:0242468747

VL - 22

SP - 596

EP - 612

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

IS - 7

ER -