A framework for constructing features and models for intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Practical automated detection of stealthy portscans
Journal of Computer Security
Winning the KDD99 classification cup: bagged boosting
ACM SIGKDD Explorations Newsletter
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Active learning and subspace clustering for anomaly detection
Intelligent Data Analysis
| Hi-index | 0.00 |
This paper presents an anomaly detection approach based on clustering and classification for intrusion detection (ID). We use connections obtained from raw packet data of the audit trail as basic elements, then map the network connection records into 8 feature spaces typically of high dimension according to their protocols and services. The approach includes two steps, training stage and testing stage. We perform clustering to group training data points into clusters, from which we select some clusters as normal and known-attack profile according to certain criterion. For those training data excluded from the profile, we use them to build a specific classifier. During the testing stage, we utilize influence-based classification algorithm to classify network behaviors. In the algorithm, an influence function quantifies the influence of an object. The experiments on the KDD'99 Intrusion Detection Data Set demonstrate the detection performance and the effectiveness of our ID approach.