Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

Xiangyang Li; Nong Ye

doi:10.1002/qre.477

Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

Xiangyang Li, Nong Ye

Industrial, Systems and Operations Engineering

Research output: Contribution to journal › Article › peer-review

21 Scopus citations

Abstract

As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

Original language	English (US)
Pages (from-to)	231-242
Number of pages	12
Journal	Quality and Reliability Engineering International
Volume	18
Issue number	3
DOIs	https://doi.org/10.1002/qre.477
State	Published - May 2002

Keywords

Clustering
Computer security
Data mining
Intrusion detection
Signature recognition

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Management Science and Operations Research

Access to Document

10.1002/qre.477

Cite this

@article{75eaddc903334b55bbf1df14fe188030,

title = "Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection",

abstract = "As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.",

keywords = "Clustering, Computer security, Data mining, Intrusion detection, Signature recognition",

author = "Xiangyang Li and Nong Ye",

year = "2002",

month = may,

doi = "10.1002/qre.477",

language = "English (US)",

volume = "18",

pages = "231--242",

journal = "Quality and Reliability Engineering International",

issn = "0748-8017",

publisher = "John Wiley and Sons Ltd",

number = "3",

}

TY - JOUR

T1 - Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

AU - Li, Xiangyang

AU - Ye, Nong

PY - 2002/5

Y1 - 2002/5

N2 - As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

AB - As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

KW - Clustering

KW - Computer security

KW - Data mining

KW - Intrusion detection

KW - Signature recognition

UR - http://www.scopus.com/inward/record.url?scp=0036575196&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0036575196&partnerID=8YFLogxK

U2 - 10.1002/qre.477

DO - 10.1002/qre.477

M3 - Article

AN - SCOPUS:0036575196

SN - 0748-8017

VL - 18

SP - 231

EP - 242

JO - Quality and Reliability Engineering International

JF - Quality and Reliability Engineering International

IS - 3

ER -

Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this