An anomaly intrusion detection method using the CSI-KNN algorithm

Kuang, Liwei; Zulkernine, Mohammad

doi:10.1145/1363686.1363897

Cited by 60 publications

(30 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It can be found by comparison that the detection performance can achieve a better effect if when the value of K is taken close to 8-10. PSO-KM [9] 86 2.8 -SOM [10] 91.5 14.5 -CSI-KNN [11] 91.4 2.6 92.5…”

Section: Experiments and Results Analysismentioning

confidence: 99%

Research on the Intrusion Detection Method Based on Differentiated Cluster Center Offset Measure

Chen

Nian

2017

MATEC Web Conf.

View full text Add to dashboard Cite

Abstract. In this paper, a kind of local outlier mining method based on differentiated cluster center offset measure is proposed through which the outlier degree of sample can be calculated by use of the normal behavior model constructed by normal data sample and the preset anomaly threshold value, and whether the testing sample belong to intrusion behavior can thus be determined. Furthermore, KDD99 data set is also utilized to test the said method, and the experimental results show that the method proposed in this paper possesses higher detection rate and lower false alarm rate. Key words: Intrusion detection; Anomaly detection; Outlier mining; Cluster center offset OverviewEssentially, the intrusion detection is a classification problem, and the to-be-detected host audit records or network traffic data can be classified as normal behavior or intrusion behavior [1]. Depending on different detection methods, the intrusion detections can be divided into two categories, i.e. anomaly detection and misuse detection. The local outlier mining method studied in this paper belongs to one of such anomaly detection methods.The hypothesis of anomaly detection is that the intruder activity is anomalous to the activity of normal subject [2]. The activity profile of normal activity of the subject can be established according to this concept, and comparisons can be made between the activity status of current subject and the activity profile. When the statistical law is violated, the activity may be considered as an intrusion. The difficult problem for anomaly detection is how to establish the activity profile of normal activity and how to design the statistical algorithm, so that normal operations are not considered as intrusion or the real intrusion behavior are not neglected.Outlier mining technology is very suitable for the completion of anomaly-based intrusion detection. Through the analysis of network data characteristics, two facts can be drawn as below. Firstly, there are significant differences between normal behavior and anomaly behavior. Secondly, in practical applications, the number of anomaly behavior is much lower than that of the normal behavior. In respect of the entire network behavior, intrusion behavior belongs to anomaly data in small numbers, and it can be processed by treating it as outliers in the dataset, which can better reflect the nature of such invasion. At the same time, in respect of other intrusion detection methods, the anomaly detection method based on outlier mining can identify those new categories of attack samples which have not yet appeared [3], which represents the advantage which is not possessed by other detection methods. Therefore, the problem of intrusion detection can be transformed into the outlier mining problem in the network behavior data set. Outlier Mining Method Based on Differentiated Cluster Center Offset MeasureAlthough many outlier mining methods have been proposed in recently-published literature, yet only a few of them are applied to the network anomaly detection. One o...

show abstract

Section: Experiments and Results Analysismentioning

confidence: 99%

Research on the Intrusion Detection Method Based on Differentiated Cluster Center Offset Measure

Chen

Nian

2017

MATEC Web Conf.

View full text Add to dashboard Cite

show abstract

“…It is important to note that the direct application of the comparable AD algorithm for NIDS produces unacceptably high FPRs of approximately 3% [10]. Our AD sensor, on the other hand, yields an average FPR of 0.28% when evaluated using two real world data sets.…”

Section: Introductionmentioning

confidence: 94%

“…This process is further described in Section 3.3. The authors in [10] present DNIDS a TCM based IDS that uses a strangeness definition taken from the work of TCM classifiers [21]. In [1] an improved strangeness function is introduced which results in performance improvements of the AD sensor.…”

Section: Related Workmentioning

confidence: 99%

transAD: An Anomaly Detection Network Intrusion Sensor for the Web

Hiremagalore

Barbará

Fleck

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Content-based Anomaly Detection (AD) techniques are regarded as a promising mechanism to detect 'zero-day' attacks. AD sensors have also been shown to perform better than signature-based systems in detecting polymorphic attacks. However, the False Positive Rates (FPRs) produced by current AD sensors have been a cause of concern. In this paper, we introduce and evaluate transAD, a system of network traffic inspection AD sensors that are based on Transductive Confidence Machines (TCM). Existing TCM-based implementations have very high FPRs when used as NIDS.Our approach leverages an unsupervised machine-learning algorithm to identify anomalous packets and thus, unlike most AD sensors, transAD does not require manually labeled data. Moreover, transAD uses an ensemble of TCM sensors to achieve better detection rates and lower FPRs than single sensor implementations. Therefore, transAD presents a hardened defense against poisoning attacks.We evaluated our prototype implementation using two real-world data sets collected from a public university's network. TransAD processed approximately 1.1 million packets containing real attacks. To compute the ground truth, we manually labeled 18,500 alerts. In the course of scanning millions of packets, our sensor's low FPR would significantly reduce the number of false alerts that need to be inspected by an operator, while maintaining a high detection rate.

show abstract

“…Kuang and Zulkernine [10] used a modified KNN algorithm called CSI-KNN for Combined Strangeness and Isolation measure K-Nearest Neighbors. They perform supervised learning on the KDD dataset [8].…”

Section: Related Workmentioning

confidence: 99%

0day Anomaly Detection Made Possible Thanks to Machine Learning

Owezarski

Mazel

Labit

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper proposes new cognitive algorithms and mechanisms for detecting 0day attacks targeting the Internet and its communication performances and behavior. For this purpose, this work relies on the use of machine learning techniques able to issue autonomously traffic models and new attack signatures when new attacks are detected, characterized and classified as such. The ultimate goal deals with being able to instantaneously deploy new defense strategies when a new 0day attack is encountered, thanks to an autonomous cognitive system. The algorithms and mechanisms are validated through extensive experiments taking advantage of real traffic traces captured on the Renater network as well as on a WIDE transpacific link between Japan and the USA.

show abstract

An anomaly intrusion detection method using the CSI-KNN algorithm

Cited by 60 publications

References 10 publications

Research on the Intrusion Detection Method Based on Differentiated Cluster Center Offset Measure

Research on the Intrusion Detection Method Based on Differentiated Cluster Center Offset Measure

transAD: An Anomaly Detection Network Intrusion Sensor for the Web

0day Anomaly Detection Made Possible Thanks to Machine Learning

Contact Info

Product

Resources

About