Anomaly intrusion detection based on clustering a data stream

Sang Hyun Oh; Jin Suk Kang; Yung Cheol Byun; Taikyeong T. Jeong; Won Suk Lee

doi:10.1007/11836810_30

Anomaly intrusion detection based on clustering a data stream

Sang Hyun Oh, Jin Suk Kang, Yung Cheol Byun, Taikyeong T. Jeong, Won Suk Lee

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

Original language	English
Title of host publication	Information Security - 9th International Conference, ISC 2006, Proceedings
Publisher	Springer Verlag
Pages	415-426
Number of pages	12
ISBN (Print)	3540383417, 9783540383413
DOIs	https://doi.org/10.1007/11836810_30
Publication status	Published - 2006
Event	9th International Information Security Conference, ISC 2006 - Samos Island, Greece Duration: 2006 Aug 30 → 2006 Sep 2

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4176 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	9th International Information Security Conference, ISC 2006
Country	Greece
City	Samos Island
Period	06/8/30 → 06/9/2

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/11836810_30

Fingerprint Dive into the research topics of 'Anomaly intrusion detection based on clustering a data stream'. Together they form a unique fingerprint.

Cite this

Oh, S. H., Kang, J. S., Byun, Y. C., Jeong, T. T., & Lee, W. S. (2006). Anomaly intrusion detection based on clustering a data stream. In Information Security - 9th International Conference, ISC 2006, Proceedings (pp. 415-426). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS). Springer Verlag. https://doi.org/10.1007/11836810_30

Oh, Sang Hyun ; Kang, Jin Suk ; Byun, Yung Cheol ; Jeong, Taikyeong T. ; Lee, Won Suk. / Anomaly intrusion detection based on clustering a data stream. Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. pp. 415-426 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{8bb6cd4f73b0472cbc53aac4d626816b,

title = "Anomaly intrusion detection based on clustering a data stream",

abstract = "In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.",

author = "Oh, {Sang Hyun} and Kang, {Jin Suk} and Byun, {Yung Cheol} and Jeong, {Taikyeong T.} and Lee, {Won Suk}",

year = "2006",

doi = "10.1007/11836810_30",

language = "English",

isbn = "3540383417",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "415--426",

booktitle = "Information Security - 9th International Conference, ISC 2006, Proceedings",

address = "Germany",

note = "9th International Information Security Conference, ISC 2006 ; Conference date: 30-08-2006 Through 02-09-2006",

}

Oh, SH, Kang, JS, Byun, YC, Jeong, TT & Lee, WS 2006, Anomaly intrusion detection based on clustering a data stream. in Information Security - 9th International Conference, ISC 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4176 LNCS, Springer Verlag, pp. 415-426, 9th International Information Security Conference, ISC 2006, Samos Island, Greece, 06/8/30. https://doi.org/10.1007/11836810_30

Anomaly intrusion detection based on clustering a data stream. / Oh, Sang Hyun; Kang, Jin Suk; Byun, Yung Cheol; Jeong, Taikyeong T.; Lee, Won Suk.

Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. p. 415-426 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Anomaly intrusion detection based on clustering a data stream

AU - Oh, Sang Hyun

AU - Kang, Jin Suk

AU - Byun, Yung Cheol

AU - Jeong, Taikyeong T.

AU - Lee, Won Suk

PY - 2006

Y1 - 2006

N2 - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

AB - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

UR - http://www.scopus.com/inward/record.url?scp=33750230278&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750230278&partnerID=8YFLogxK

U2 - 10.1007/11836810_30

DO - 10.1007/11836810_30

M3 - Conference contribution

AN - SCOPUS:33750230278

SN - 3540383417

SN - 9783540383413

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 415

EP - 426

BT - Information Security - 9th International Conference, ISC 2006, Proceedings

PB - Springer Verlag

T2 - 9th International Information Security Conference, ISC 2006

Y2 - 30 August 2006 through 2 September 2006

ER -

Oh SH, Kang JS, Byun YC, Jeong TT, Lee WS. Anomaly intrusion detection based on clustering a data stream. In Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag. 2006. p. 415-426. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/11836810_30