Abstract
In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.
| Original language | English |
|---|---|
| Title of host publication | Information Security - 9th International Conference, ISC 2006, Proceedings |
| Publisher | Springer Verlag |
| Pages | 415-426 |
| Number of pages | 12 |
| ISBN (Print) | 3540383417, 9783540383413 |
| Publication status | Published - 2006 Jan 1 |
| Event | 9th International Information Security Conference, ISC 2006 - Samos Island, Greece Duration: 2006 Aug 30 → 2006 Sep 2 |
Publication series
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Volume | 4176 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Other
| Other | 9th International Information Security Conference, ISC 2006 |
|---|---|
| Country | Greece |
| City | Samos Island |
| Period | 06/8/30 → 06/9/2 |
Fingerprint
All Science Journal Classification (ASJC) codes
- Theoretical Computer Science
- Computer Science(all)
Cite this
}
Anomaly intrusion detection based on clustering a data stream. / Oh, Sang Hyun; Kang, Jin Suk; Byun, Yung Cheol; Jeong, Taikyeong T.; Lee, Won Suk.
Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. p. 415-426 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
TY - GEN
T1 - Anomaly intrusion detection based on clustering a data stream
AU - Oh, Sang Hyun
AU - Kang, Jin Suk
AU - Byun, Yung Cheol
AU - Jeong, Taikyeong T.
AU - Lee, Won Suk
PY - 2006/1/1
Y1 - 2006/1/1
N2 - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.
AB - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.
UR - http://www.scopus.com/inward/record.url?scp=33750230278&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33750230278&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:33750230278
SN - 3540383417
SN - 9783540383413
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 415
EP - 426
BT - Information Security - 9th International Conference, ISC 2006, Proceedings
PB - Springer Verlag
ER -