Symbolic clustering using a new dissimilarity measure
Pattern Recognition
ACM Computing Surveys (CSUR)
On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms
Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining
Generating Accurate Rule Sets Without Global Optimization
ICML '98 Proceedings of the Fifteenth International Conference on Machine Learning
Algorithms for Mining Distance-Based Outliers in Large Datasets
VLDB '98 Proceedings of the 24rd International Conference on Very Large Data Bases
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
LOADED: Link-Based Outlier and Anomaly Detection in Evolving Data Sets
ICDM '04 Proceedings of the Fourth IEEE International Conference on Data Mining
A Unifying Framework for Detecting Outliers and Change Points from Time Series
IEEE Transactions on Knowledge and Data Engineering
Learning the daily model of network traffic
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
Evolving boundary detector for anomaly detection
Expert Systems with Applications: An International Journal
Outlier detection in relational data: A case study in geographical information systems
Expert Systems with Applications: An International Journal
Hi-index | 0.00 |
Anomaly detection is based on profiles that represent normal behavior of users, hosts or networks and detects attacks as significant deviations from these profiles. Our methodology is based on the application of several data mining methods and returns an adaptive normal daily model of the network traffic as a result of four main steps, which are illustrated in the paper. The original observation units (the network connections) are transformed in symbolic objects and the normal model itself is given by a particular set of symbolic objects. A new symbolic object is considered an anomaly if it is dissimilar from those belonging to the model and it can be added to the model if it is ranked as a changing point, i.e. a new but legal behavior of the network traffic, otherwise it is an outlier, i.e. a new but illegal aspect of the network traffic. The obtained model of network connections can be used by a network administrator to identify deviations in network traffic patterns that may demand for her attention. The methodology is applied to the firewall logs of our Department network.