Learning the daily model of network traffic

Authors:
Costantina Caruso;Donato Malerba;Davide Papagni
Affiliations:
Dipartimento di Informatica, Università degli Studi di Bari, Bari, Italy;Dipartimento di Informatica, Università degli Studi di Bari, Bari, Italy;Dipartimento di Informatica, Università degli Studi di Bari, Bari, Italy
Venue:
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
Year:
2005

Citing 8
Cited 3

Symbolic clustering using a new dissimilarity measure

Pattern Recognition
Advances in knowledge discovery and data mining

Advances in knowledge discovery and data mining
ADAM: a testbed for exploring the use of data mining in intrusion detection

ACM SIGMOD Record
Knowledge Acquisition Via Incremental Conceptual Clustering

Machine Learning
Generating Accurate Rule Sets Without Global Optimization

ICML '98 Proceedings of the Fifteenth International Conference on Machine Learning
A study in using neural networks for anomaly and misuse detection

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Intrusion detection using sequences of system calls

Journal of Computer Security

A Data Mining Methodology for Anomaly Detection in Network Data

KES '07 Knowledge-Based Intelligent Information and Engineering Systems and the XVII Italian Workshop on Neural Networks on Proceedings of the 11th International Conference
Relational Frequent Patterns Mining for Novelty Detection from Data Streams

MLDM '09 Proceedings of the 6th International Conference on Machine Learning and Data Mining in Pattern Recognition
Discovering emerging patterns for anomaly detection in network connection data

ISMIS'08 Proceedings of the 17th international conference on Foundations of intelligent systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly detection is based on profiles that represent normal behaviour of users, hosts or networks and detects attacks as significant deviations from these profiles. In the paper we propose a methodology based on the application of several data mining methods for the construction of the “normal” model of the ingoing traffic of a department-level network. The methodology returns a daily model of the network traffic as a result of four main steps: first, daily network connections are reconstructed from TCP/IP packet headers passing through the firewall and represented by means of feature vectors; second, network connections are grouped by applying a clustering method; third, clusters are described as sets of rules generated by a supervised inductive learning algorithm; fourth, rules are transformed into symbolic objects and similarities between symbolic objects are computed for each couple of days. The result is a longitudinal model of the similarity of network connections that can be used by a network administrator to identify deviations in network traffic patterns that may demand for his/her attention. The proposed methodology has been tested on log files of the firewall of our University Department.