A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

David J. Weller-Fahy, Brett J. Borghetti, Angela A. Sodemann

Research output: Contribution to journalReview article

85 Scopus citations

Abstract

Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

Original languageEnglish (US)
Article number6853338
Pages (from-to)70-91
Number of pages22
JournalIEEE Communications Surveys and Tutorials
Volume17
Issue number1
DOIs
StatePublished - Jan 1 2015

Keywords

  • Computer networks
  • anomaly detection
  • distance measurement
  • intrusion detection
  • machine learning

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection'. Together they form a unique fingerprint.

  • Cite this