A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

David J. Weller-Fahy, Brett J. Borghetti, Angela Sodemann

    Research output: Contribution to journalArticle

    64 Citations (Scopus)

    Abstract

    Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

    Original languageEnglish (US)
    Article number6853338
    Pages (from-to)70-91
    Number of pages22
    JournalIEEE Communications Surveys and Tutorials
    Volume17
    Issue number1
    DOIs
    StatePublished - Jan 1 2015

    Fingerprint

    Intrusion detection

    Keywords

    • anomaly detection
    • Computer networks
    • distance measurement
    • intrusion detection
    • machine learning

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering

    Cite this

    A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection. / Weller-Fahy, David J.; Borghetti, Brett J.; Sodemann, Angela.

    In: IEEE Communications Surveys and Tutorials, Vol. 17, No. 1, 6853338, 01.01.2015, p. 70-91.

    Research output: Contribution to journalArticle

    Weller-Fahy, David J. ; Borghetti, Brett J. ; Sodemann, Angela. / A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection. In: IEEE Communications Surveys and Tutorials. 2015 ; Vol. 17, No. 1. pp. 70-91.
    @article{fa91aec7eb4e4014960341a66042f478,
    title = "A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection",
    abstract = "Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.",
    keywords = "anomaly detection, Computer networks, distance measurement, intrusion detection, machine learning",
    author = "Weller-Fahy, {David J.} and Borghetti, {Brett J.} and Angela Sodemann",
    year = "2015",
    month = "1",
    day = "1",
    doi = "10.1109/COMST.2014.2336610",
    language = "English (US)",
    volume = "17",
    pages = "70--91",
    journal = "IEEE Communications Surveys and Tutorials",
    issn = "1553-877X",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",
    number = "1",

    }

    TY - JOUR

    T1 - A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

    AU - Weller-Fahy, David J.

    AU - Borghetti, Brett J.

    AU - Sodemann, Angela

    PY - 2015/1/1

    Y1 - 2015/1/1

    N2 - Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

    AB - Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented.

    KW - anomaly detection

    KW - Computer networks

    KW - distance measurement

    KW - intrusion detection

    KW - machine learning

    UR - http://www.scopus.com/inward/record.url?scp=84925843430&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84925843430&partnerID=8YFLogxK

    U2 - 10.1109/COMST.2014.2336610

    DO - 10.1109/COMST.2014.2336610

    M3 - Article

    VL - 17

    SP - 70

    EP - 91

    JO - IEEE Communications Surveys and Tutorials

    JF - IEEE Communications Surveys and Tutorials

    SN - 1553-877X

    IS - 1

    M1 - 6853338

    ER -