Abstract. In this paper, a kind of local outlier mining method based on differentiated cluster center offset measure is proposed through which the outlier degree of sample can be calculated by use of the normal behavior model constructed by normal data sample and the preset anomaly threshold value, and whether the testing sample belong to intrusion behavior can thus be determined. Furthermore, KDD99 data set is also utilized to test the said method, and the experimental results show that the method proposed in this paper possesses higher detection rate and lower false alarm rate. Key words: Intrusion detection; Anomaly detection; Outlier mining; Cluster center offset
OverviewEssentially, the intrusion detection is a classification problem, and the to-be-detected host audit records or network traffic data can be classified as normal behavior or intrusion behavior [1]. Depending on different detection methods, the intrusion detections can be divided into two categories, i.e. anomaly detection and misuse detection. The local outlier mining method studied in this paper belongs to one of such anomaly detection methods.The hypothesis of anomaly detection is that the intruder activity is anomalous to the activity of normal subject [2]. The activity profile of normal activity of the subject can be established according to this concept, and comparisons can be made between the activity status of current subject and the activity profile. When the statistical law is violated, the activity may be considered as an intrusion. The difficult problem for anomaly detection is how to establish the activity profile of normal activity and how to design the statistical algorithm, so that normal operations are not considered as intrusion or the real intrusion behavior are not neglected.Outlier mining technology is very suitable for the completion of anomaly-based intrusion detection. Through the analysis of network data characteristics, two facts can be drawn as below. Firstly, there are significant differences between normal behavior and anomaly behavior. Secondly, in practical applications, the number of anomaly behavior is much lower than that of the normal behavior. In respect of the entire network behavior, intrusion behavior belongs to anomaly data in small numbers, and it can be processed by treating it as outliers in the dataset, which can better reflect the nature of such invasion. At the same time, in respect of other intrusion detection methods, the anomaly detection method based on outlier mining can identify those new categories of attack samples which have not yet appeared [3], which represents the advantage which is not possessed by other detection methods. Therefore, the problem of intrusion detection can be transformed into the outlier mining problem in the network behavior data set.
Outlier Mining Method Based on Differentiated Cluster Center Offset MeasureAlthough many outlier mining methods have been proposed in recently-published literature, yet only a few of them are applied to the network anomaly detection. One o...