IEEE Transactions on Software Engineering - Special issue on computer security and privacy
LOF: identifying density-based local outliers
SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Efficient algorithms for mining outliers from large data sets
SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
Algorithms for Mining Distance-Based Outliers in Large Datasets
VLDB '98 Proceedings of the 24rd International Conference on Very Large Data Bases
Efficient and Effective Clustering Methods for Spatial Data Mining
VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
ADMIT: anomaly-based data mining for intrusions
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
ROCK: A Robust Clustering Algorithm for Categorical Attributes
ICDE '99 Proceedings of the 15th International Conference on Data Engineering
Hi-index | 0.00 |
Anomaly detection is a method for determining behaviors which do not accord with normal ones. It is mostly used for detecting abnormal behaviors, mutational and unknown attacks. In this paper, we propose a technique that generates patterns about network-based normal behaviors in blocks of a TCP network session for the anomaly detection. One session is expressed as one pattern based on a stream of the packets in the session, and thus the pattern we generate has a sequential feature. We use the ROCK algorithm to cluster the sequence patterns which have categorical attributes. This algorithm performs clustering based on our similarity function which uses Dynamic Programming. The many sequence patterns of the normal behaviors can be reduced to several representative sequence patterns using the clustering. Our detecting sensor uses profiling dataset that are constructed by the representative sequence patterns of normal behaviors. We show the effectiveness of proposed model by using results from the 1999 DARPA Intrusion Detection Evaluation.