A Data Mining Methodology for Anomaly Detection in Network Data

Authors:
Costantina Caruso;Donato Malerba
Affiliations:
Dipartimento di Informatica, Università degli Studi di Bari, Via E. Orabona 4 - 70126 Bari, Italy;Dipartimento di Informatica, Università degli Studi di Bari, Via E. Orabona 4 - 70126 Bari, Italy
Venue:
KES '07 Knowledge-Based Intelligent Information and Engineering Systems and the XVII Italian Workshop on Neural Networks on Proceedings of the 11th International Conference
Year:
2007

Citing 9
Cited 2

Symbolic clustering using a new dissimilarity measure

Pattern Recognition
Data clustering: a review

ACM Computing Surveys (CSUR)
On-line unsupervised outlier detection using finite mixtures with discounting learning algorithms

Proceedings of the sixth ACM SIGKDD international conference on Knowledge discovery and data mining
Generating Accurate Rule Sets Without Global Optimization

ICML '98 Proceedings of the Fifteenth International Conference on Machine Learning
Algorithms for Mining Distance-Based Outliers in Large Datasets

VLDB '98 Proceedings of the 24rd International Conference on Very Large Data Bases
Learning nonstationary models of normal network traffic for detecting novel attacks

Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
LOADED: Link-Based Outlier and Anomaly Detection in Evolving Data Sets

ICDM '04 Proceedings of the Fourth IEEE International Conference on Data Mining
A Unifying Framework for Detecting Outliers and Change Points from Time Series

IEEE Transactions on Knowledge and Data Engineering
Learning the daily model of network traffic

ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems

Evolving boundary detector for anomaly detection

Expert Systems with Applications: An International Journal
Outlier detection in relational data: A case study in geographical information systems

Expert Systems with Applications: An International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly detection is based on profiles that represent normal behavior of users, hosts or networks and detects attacks as significant deviations from these profiles. Our methodology is based on the application of several data mining methods and returns an adaptive normal daily model of the network traffic as a result of four main steps, which are illustrated in the paper. The original observation units (the network connections) are transformed in symbolic objects and the normal model itself is given by a particular set of symbolic objects. A new symbolic object is considered an anomaly if it is dissimilar from those belonging to the model and it can be added to the model if it is ranked as a changing point, i.e. a new but legal behavior of the network traffic, otherwise it is an outlier, i.e. a new but illegal aspect of the network traffic. The obtained model of network connections can be used by a network administrator to identify deviations in network traffic patterns that may demand for her attention. The methodology is applied to the firewall logs of our Department network.