Anomaly intrusion detection based on clustering a data stream

Sang Hyun Oh, Jin Suk Kang, Yung Cheol Byun, Taikyeong T. Jeong, Won Suk Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

Original languageEnglish
Title of host publicationInformation Security - 9th International Conference, ISC 2006, Proceedings
PublisherSpringer Verlag
Pages415-426
Number of pages12
ISBN (Print)3540383417, 9783540383413
Publication statusPublished - 2006 Jan 1
Event9th International Information Security Conference, ISC 2006 - Samos Island, Greece
Duration: 2006 Aug 302006 Sep 2

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume4176 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other9th International Information Security Conference, ISC 2006
CountryGreece
CitySamos Island
Period06/8/3006/9/2

Fingerprint

Anomaly Detection
Intrusion detection
Intrusion Detection
Data Streams
Audit
Clustering
Clustering algorithms
Clustering Algorithm
Data mining
Data Mining
Model

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Oh, S. H., Kang, J. S., Byun, Y. C., Jeong, T. T., & Lee, W. S. (2006). Anomaly intrusion detection based on clustering a data stream. In Information Security - 9th International Conference, ISC 2006, Proceedings (pp. 415-426). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS). Springer Verlag.
Oh, Sang Hyun ; Kang, Jin Suk ; Byun, Yung Cheol ; Jeong, Taikyeong T. ; Lee, Won Suk. / Anomaly intrusion detection based on clustering a data stream. Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. pp. 415-426 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{8bb6cd4f73b0472cbc53aac4d626816b,
title = "Anomaly intrusion detection based on clustering a data stream",
abstract = "In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.",
author = "Oh, {Sang Hyun} and Kang, {Jin Suk} and Byun, {Yung Cheol} and Jeong, {Taikyeong T.} and Lee, {Won Suk}",
year = "2006",
month = "1",
day = "1",
language = "English",
isbn = "3540383417",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "415--426",
booktitle = "Information Security - 9th International Conference, ISC 2006, Proceedings",
address = "Germany",

}

Oh, SH, Kang, JS, Byun, YC, Jeong, TT & Lee, WS 2006, Anomaly intrusion detection based on clustering a data stream. in Information Security - 9th International Conference, ISC 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4176 LNCS, Springer Verlag, pp. 415-426, 9th International Information Security Conference, ISC 2006, Samos Island, Greece, 06/8/30.

Anomaly intrusion detection based on clustering a data stream. / Oh, Sang Hyun; Kang, Jin Suk; Byun, Yung Cheol; Jeong, Taikyeong T.; Lee, Won Suk.

Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag, 2006. p. 415-426 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4176 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Anomaly intrusion detection based on clustering a data stream

AU - Oh, Sang Hyun

AU - Kang, Jin Suk

AU - Byun, Yung Cheol

AU - Jeong, Taikyeong T.

AU - Lee, Won Suk

PY - 2006/1/1

Y1 - 2006/1/1

N2 - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

AB - In anomaly intrusion detection, how to model the normal behavior of activities performed by a user is an important issue. To extract the normal behavior as a profile, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches can only model the static behavior of a user in the audit data set. This drawback can be overcome by viewing the continuous activities of a user as an audit data stream. This paper proposes a new clustering algorithm which continuously models a data stream. A set of features is used to represent the characteristics of an activity. For each feature, the clusters of feature values corresponding to activities observed so far in an audit data stream are identified by the proposed clustering algorithm for data streams. As a result, without maintaining any historical activity of a user physically, new activities of the user can be continuously reflected to the ongoing result of clustering.

UR - http://www.scopus.com/inward/record.url?scp=33750230278&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33750230278&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:33750230278

SN - 3540383417

SN - 9783540383413

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 415

EP - 426

BT - Information Security - 9th International Conference, ISC 2006, Proceedings

PB - Springer Verlag

ER -

Oh SH, Kang JS, Byun YC, Jeong TT, Lee WS. Anomaly intrusion detection based on clustering a data stream. In Information Security - 9th International Conference, ISC 2006, Proceedings. Springer Verlag. 2006. p. 415-426. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).