Mining in a data-flow environment: experience in network intrusion detection
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
Clustering Algorithms
Self-Organising Neural Networks: Independent Component Analysis and Blind Source Separation
Self-Organising Neural Networks: Independent Component Analysis and Blind Source Separation
Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint
Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint
Computer-Aided Multivariate Analysis
Computer-Aided Multivariate Analysis
Multivariate Statistical Analysis of Audit Trails for Host-Based Intrusion Detection
IEEE Transactions on Computers
Clustering intrusion detection alarms to support root cause analysis
ACM Transactions on Information and System Security (TISSEC)
Independent Component Analysis: A Tutorial Introduction
Independent Component Analysis: A Tutorial Introduction
Statistical Techniques for Network Security: Modern Statistically-Based Intrusion Detection and Protection
Practical intrusion detection using genetic-clustering
ISI'06 Proceedings of the 4th IEEE international conference on Intelligence and Security Informatics
Hi-index | 0.01 |
The objective of this study is to develop an integrated modelling approach to network intrusion detection with three multivariate statistical methods: Block Clustering (BC) Analysis, Generalised Logistic Regression (GLR) and Linear Discriminant Analysis (LDA). A pipeline processing strategy with BC followed by either GLR or LDA is attempted in order to automate the intrusion detection process. The preliminary testing results show that the integration of BC and LDA is very promising, but that of BC and GLR is uncertain. Essentially, BC offers a classification algorithm, and LDA or GLR further assesses the results pipelined from BC and enables a judgement to be made (e.g., intrusive, suspicious, or normal). Although clustering techniques have been widely utilised for intrusion detection from the very beginning of the field, to the best of our knowledge, BC has not been applied in intrusion detection or computer science previously. The two-way joining strategy of BC in cluster detection is especially desirable for intrusion detection since information from both data cases and variables (features) are synthesised to form block clusters, while other clustering methods often only consider information from either data cases or variables. The paper also discusses the justification for our choice of the three statistical methods. The choice is largely determined by two of the most obvious properties of intrusion audit data: most variables in intrusion detection data are categorical, rather than continuous; the probability distributions of these variables usually are not normally distributed. In perspective, we suggest that the integration of BC with Independent Component Analysis (ICA) (which has been successfully utilised in speech recognition, brain imaging and intrusion detection in combination with other statistical methods) is likely to offer a mutually complementary approach. We further suggest that the integration of the approach developed in this paper with Multidimensional Scaling (MDS) may produce an effective technology for building visualised real-time intrusion detection systems.