Skip to main content
SpringerLink
Log in

A New Unsupervised Anomaly Detection Framework for Detecting Network Attacks in Real-Time

  • Conference paper
Book cover Cryptology and Network Security (CANS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3810))

Included in the following conference series:

Abstract

In this paper, we propose a new unsupervised anomaly detection framework for detecting network intrusions online. The framework consists of new anomalousness metrics named IP Weight and an outlier detection algorithm based on Gaussian mixture model (GMM). IP Weights convert the features of IP packets into a four-dimensional numerical feature space, in which the outlier detection takes place. Intrusion decisions are made based on the outcome of outlier detections. Two sets of experiments are conducted to evaluate our framework. In the first experiment, we conduct an offline evaluation based on the 1998 DARPA intrusion detection dataset, which detects 16 types of attacks out of a total of 19 network attack types. In the second experiment, an online evaluation is performed in a live networking environment. The evaluation result not only confirms the detection effectiveness with DARPA dataset, but also shows a strong runtime efficiency, with response times falling within seconds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, J.P.: Computer Security Threat Monitoring and Surveillance. Technical Report, James P. Anderson Co., Fort Washington, Pennsylvania (1980)

    Google Scholar 

  2. Axelsson, S.: The Base-Rate Fallacy and the Difficulty of Intrusion Detection. ACM Transactions on Information and System Security (TISSEC) 3, 186–201 (2000)

    Article  Google Scholar 

  3. Dempster, A.P., Laird, N.M., Rubin, D.B.: Maximum Likelihood from Incomplete Data via the EM Algorithm (with discussion). Journal of the Royal Statistical Society B 39, 1–38 (1977)

    MATH  MathSciNet  Google Scholar 

  4. Denning, D.E.: An Intrusion Detection Model. IEEE Transactions on Software Engineering 2, 222–232 (1987)

    Article  Google Scholar 

  5. Eskin, E.: Anomaly Detection over Noisy Data using Learned Probability Distributions. In: Proceedings of 17th International Conference on Machine Learning, pp. 255–262 (2000)

    Google Scholar 

  6. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., Stolfo, S.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: On Application of Data Mining in Computer Security. Kluwer Academic Publisher, Dordrecht (2002)

    Google Scholar 

  7. Fluxay, http://www.netxeyes.com

  8. Frank, J.: Artificial Intelligence and Intrusion Detection: Current and Future Directions. In: Proceedings of the 17th National Computer Security Conference, pp. 11–21 (1994)

    Google Scholar 

  9. Forrest, S., Hofmeyr, S.A., Longstaff, T.A.: A Sense of Self for Unix Processes. In: Proceedings of 1996 IEEE Symposium on Security and Privacy, pp. 120–128 (1996)

    Google Scholar 

  10. Hochberg, J., Jackson, K., Stallings, C., McClary, J.F., DuBois, D., Ford, J.: NADIR: An Automated System for Detecting Network Intrusion and Misuse. Computers & Security 12(3), 235–248 (1993)

    Article  Google Scholar 

  11. Kendall, K.: A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems. Master’s Thesis, Massachusetts Institute of Technology (1998)

    Google Scholar 

  12. Lunt, T., Jagannathan, R., Lee, R., Listgarten, S., Edwards, D., Neumann, P., Javitz, H., Valdes, A.: IDES: The Enhanced Prototype, A Real-time Intrusion Detection System. Technical Report, SRI Project 4185-010, Computer Science Laboratory, CA (1988)

    Google Scholar 

  13. McHugh, J.: The 1998 Lincoln Lab IDS Evaluation - A Critique. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 145–161. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  14. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion Detection with Unlabeled Data using Clustering. In: Proceedings of ACM CSS Workshop on Data Mining Applied to Security (2001)

    Google Scholar 

  15. Ripley, B.D.: Pattern Recognition and Neural Networks. Cambridge University Press, Cambridge (1996)

    MATH  Google Scholar 

  16. Roberts, F.S.: Measurement Theory. Addison-Wesley Publishing Company, Reading (1979)

    MATH  Google Scholar 

  17. Smaha, S.E.: Haystack: An Intrusion Detection System. In: Proceedings of the IEEE Fourth Aerospace Computer Security Applications Conference, pp. 37–44 (1988)

    Google Scholar 

  18. Titterington, D., Smith, A., Makov, U.: Statistical Analysis of Finite Mixture Distributions. John Wiley & Sons, New York (1985)

    MATH  Google Scholar 

  19. X-scan, http://www.xfocus.org

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, STN CSC, University of Victoria, PO Box 3055, Victoria, B.C., Canada

    Wei Lu & Issa Traore

Authors
  1. Wei Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Issa Traore
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University College London,  

    Yvo G. Desmedt

  2. Centre for Advanced Computing - Algorithms and Cryptography Department of Computing, Macquarie University, Australia

    Huaxiong Wang

  3. Centre for Computer and Information Security Research School of Computer Science and Software Engineering, University of Wollongong, Australia

    Yi Mu

  4. Fujian Normal University, 350007, Fuzhou, Fujian, China

    Yongqing Li

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lu, W., Traore, I. (2005). A New Unsupervised Anomaly Detection Framework for Detecting Network Attacks in Real-Time. In: Desmedt, Y.G., Wang, H., Mu, Y., Li, Y. (eds) Cryptology and Network Security. CANS 2005. Lecture Notes in Computer Science, vol 3810. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599371_9

Download citation

  • DOI: https://doi.org/10.1007/11599371_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-30849-2

  • Online ISBN: 978-3-540-32298-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation