Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

Xiangyang Li, Nong Ye

Research output: Contribution to journalArticle

20 Citations (Scopus)

Abstract

As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

Original languageEnglish (US)
Pages (from-to)231-242
Number of pages12
JournalQuality and Reliability Engineering International
Volume18
Issue number3
DOIs
StatePublished - May 2002

Fingerprint

Intrusion detection
UNIX
Computer operating systems
Testing
Security of data
Grid
Computer networks
Data mining
Computer systems

Keywords

  • Clustering
  • Computer security
  • Data mining
  • Intrusion detection
  • Signature recognition

ASJC Scopus subject areas

  • Engineering (miscellaneous)
  • Management Science and Operations Research

Cite this

Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection. / Li, Xiangyang; Ye, Nong.

In: Quality and Reliability Engineering International, Vol. 18, No. 3, 05.2002, p. 231-242.

Research output: Contribution to journalArticle

@article{75eaddc903334b55bbf1df14fe188030,
title = "Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection",
abstract = "As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.",
keywords = "Clustering, Computer security, Data mining, Intrusion detection, Signature recognition",
author = "Xiangyang Li and Nong Ye",
year = "2002",
month = "5",
doi = "10.1002/qre.477",
language = "English (US)",
volume = "18",
pages = "231--242",
journal = "Quality and Reliability Engineering International",
issn = "0748-8017",
publisher = "John Wiley and Sons Ltd",
number = "3",

}

TY - JOUR

T1 - Grid- and dummy-cluster-based learning of normal and intrusive clusters for computer intrusion detection

AU - Li, Xiangyang

AU - Ye, Nong

PY - 2002/5

Y1 - 2002/5

N2 - As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

AB - As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data-mining algorithm - CCAS - to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy-cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX-based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid-based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection.

KW - Clustering

KW - Computer security

KW - Data mining

KW - Intrusion detection

KW - Signature recognition

UR - http://www.scopus.com/inward/record.url?scp=0036575196&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0036575196&partnerID=8YFLogxK

U2 - 10.1002/qre.477

DO - 10.1002/qre.477

M3 - Article

AN - SCOPUS:0036575196

VL - 18

SP - 231

EP - 242

JO - Quality and Reliability Engineering International

JF - Quality and Reliability Engineering International

SN - 0748-8017

IS - 3

ER -