Security audit trail analysis using inductively generated predictive rules
Proceedings of the sixth conference on Artificial intelligence applications
State Transition Analysis: A Rule-Based Intrusion Detection Approach
IEEE Transactions on Software Engineering
BIRCH: an efficient data clustering method for very large databases
SIGMOD '96 Proceedings of the 1996 ACM SIGMOD international conference on Management of data
CURE: an efficient clustering algorithm for large databases
SIGMOD '98 Proceedings of the 1998 ACM SIGMOD international conference on Management of data
Automatic subspace clustering of high dimensional data for data mining applications
SIGMOD '98 Proceedings of the 1998 ACM SIGMOD international conference on Management of data
Entropy-based subspace clustering for mining numerical data
KDD '99 Proceedings of the fifth ACM SIGKDD international conference on Knowledge discovery and data mining
STING: A Statistical Information Grid Approach to Spatial Data Mining
VLDB '97 Proceedings of the 23rd International Conference on Very Large Data Bases
Clustering Data Streams: Theory and Practice
IEEE Transactions on Knowledge and Data Engineering
USTAT: A Real-Time Intrusion Detection System for UNIX
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Statistical grid-based clustering over data streams
ACM SIGMOD Record
Network intrusion detection: Evaluating cluster, discriminant, and logit analysis
Information Sciences: an International Journal
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
A hybrid machine learning approach to network anomaly detection
Information Sciences: an International Journal
A framework for clustering evolving data streams
VLDB '03 Proceedings of the 29th international conference on Very large data bases - Volume 29
Frequency-based load shedding over a data stream of tuples
Information Sciences: an International Journal
Optimized clustering for anomaly intrusion detection
PAKDD'03 Proceedings of the 7th Pacific-Asia conference on Advances in knowledge discovery and data mining
A clustering algorithm based on matrix over high dimensional data stream
WISM'10 Proceedings of the 2010 international conference on Web information systems and mining
A clustering algorithm for multiple data streams based on spectral component similarity
Information Sciences: an International Journal
Function and service pattern analysis for facilitating the reconfiguration of collaboration systems
Computers and Industrial Engineering
Generalized association rule mining with constraints
Information Sciences: an International Journal
Online internet intrusion detection based on flow statistical characteristics
KSEM'11 Proceedings of the 5th international conference on Knowledge Science, Engineering and Management
Mining frequent patterns in a varying-size sliding window of online transactional data streams
Information Sciences: an International Journal
Black hole: A new heuristic optimization approach for data clustering
Information Sciences: an International Journal
Secure routing protocol with anomaly detection in heterogeneous wireless sensor networks
International Journal of Mobile Network Design and Innovation
Information Sciences: an International Journal
Mining top-k frequent patterns over data streams sliding window
Journal of Intelligent Information Systems
Hi-index | 0.07 |
In anomaly intrusion detection, modeling the normal behavior of activities performed by a user is an important issue. To extract normal behavior from the activities of a user, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches model only the static behavior of a user in the audit data set. This drawback can be overcome by viewing a user's continuous activities as an audit data stream. This paper proposes an anomaly intrusion detection method that continuously models the normal behavior of a user over the audit data stream. A set of features is used to represent the characteristics of an activity. For each feature, clusters of feature values corresponding to activities observed thus far in an audit data stream are identified by a statistical grid-based clustering algorithm for a data stream. Each cluster represents the frequency range of the activities with respect to the feature. As a result, without the physical maintenance of any historical activity of the user, the user's new activities can be continuously reflected in the ongoing results. At the same time, various statistics of activities related to the identified clusters are also modeled to improve the performance of anomaly detection. The proposed algorithm is illustrated by a series of experiments to identify various characteristics.