Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

Xiangyang Li, Nong Ye

Research output: Contribution to journalArticle

20 Scopus citations

Abstract

As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

Original languageEnglish (US)
Pages (from-to)231-242
Number of pages12
JournalQuality and Reliability Engineering International
Volume18
Issue number3
DOIs
StatePublished - May 1 2002

Keywords

  • Clustering
  • Computer security
  • Data mining
  • Intrusion detection
  • Signature recognition

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Management Science and Operations Research

Fingerprint Dive into the research topics of 'Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection'. Together they form a unique fingerprint.

  • Cite this