Detecting Network Anomalies Using CUSUM and EM Clustering

  • Authors:
  • Wei Lu;Hengjian Tong

  • Affiliations:
  • Faculty of Computer Science, University of New Brunswick, Fredericton, Canada E3B 5A3 and Department of Electrical and Computer Engineering, University of Victoria, Victoria, Canada V8W 3P6;Department of Computing Science and Technology, School of Computer Science, China University of Geosciences, Wuhan, P.R. China 430074

  • Venue:
  • ISICA '09 Proceedings of the 4th International Symposium on Advances in Computation and Intelligence
  • Year:
  • 2009

Quantified Score

Hi-index 0.00

Visualization

Abstract

Intrusion detection has been extensively studied in the last two decades. However, most existing intrusion detection techniques detect limited number of attack types and report a huge number of false alarms. The hybrid approach has been proposed recently to improve the performance of intrusion detection systems (IDSs). A big challenge for constructing such a multi-sensor based IDS is how to make accurate inferences that minimize the number of false alerts and maximize the detection accuracy, thus releasing the security operator from the burden of high volume of conflicting event reports. We address this issue and propose a hybrid framework to achieve an optimal performance for detecting network traffic anomalies. In particular, we apply SNORT as the signature based intrusion detector and the other two anomaly detection methods, namely non-parametric CUmulative SUM (CUSUM) and EM based clustering, as the anomaly detector. The experimental evaluation with the 1999 DARPA intrusion detection evaluation dataset shows that our approach successfully detects a large portion of the attacks missed by SNORT while also reducing the false alarm rate.