A new unsupervised anomaly detection framework for detecting network attacks in real-time

Authors:
Wei Lu;Issa Traore
Affiliations:
Department of Electrical and Computer Engineering, STN CSC, University of Victoria, Victoria, B.C., Canada;Department of Electrical and Computer Engineering, STN CSC, University of Victoria, Victoria, B.C., Canada
Venue:
CANS'05 Proceedings of the 4th international conference on Cryptology and Network Security
Year:
2005

Citing 7
Cited 3

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
NADIR: an automated system for detecting network intrusion and misuse

Computers and Security
The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
Pattern Recognition and Neural Networks

Pattern Recognition and Neural Networks
Anomaly Detection over Noisy Data using Learned Probability Distributions

ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
The 1998 Lincoln Laboratory IDS Evaluation

RAID '00 Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection
A sense of self for Unix processes

SP'96 Proceedings of the 1996 IEEE conference on Security and privacy

Network intrusion detection using genetic algorithm to find best DNA signature

WSEAS TRANSACTIONS on SYSTEMS
An evaluation of connection characteristics for separating network attacks

International Journal of Security and Networks
Network anomaly detection based on wavelet analysis

EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we propose a new unsupervised anomaly detection framework for detecting network intrusions online. The framework consists of new anomalousness metrics named IP Weight and an outlier detection algorithm based on Gaussian mixture model (GMM). IP Weights convert the features of IP packets into a four-dimensional numerical feature space, in which the outlier detection takes place. Intrusion decisions are made based on the outcome of outlier detections. Two sets of experiments are conducted to evaluate our framework. In the first experiment, we conduct an offline evaluation based on the 1998 DARPA intrusion detection dataset, which detects 16 types of attacks out of a total of 19 network attack types. In the second experiment, an online evaluation is performed in a live networking environment. The evaluation result not only confirms the detection effectiveness with DARPA dataset, but also shows a strong runtime efficiency, with response times falling within seconds.