BIRCH: an efficient data clustering method for very large databases
SIGMOD '96 Proceedings of the 1996 ACM SIGMOD international conference on Management of data
Data mining: concepts and techniques
Data mining: concepts and techniques
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A Generalization-Based Approach to Clustering of Web Usage Sessions
WEBKDD '99 Revised Papers from the International Workshop on Web Usage Analysis and User Profiling
ADMIT: anomaly-based data mining for intrusions
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Identifying key features for intrusion detection using neural networks
ICCC '02 Proceedings of the 15th international conference on Computer communication
Results of the KDD'99 classifier learning
ACM SIGKDD Explorations Newsletter
Validation of Sensor Alert Correlators
IEEE Security and Privacy
Watcher: The Missing Piece of the Security Puzzle
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Alarm Reduction and Correlation in Defence of IP Networks
WETICE '04 Proceedings of the 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises
An unsupervised clustering algorithm for intrusion detection
AI'03 Proceedings of the 16th Canadian society for computational studies of intelligence conference on Advances in artificial intelligence
Adaptive real-time anomaly detection with incremental clustering
Information Security Tech. Report
Augmented Privacy with Virtual Humans
Digital Human Modeling
ICCS '09 Proceedings of the 9th International Conference on Computational Science: Part I
Interactive Visualization of Network Anomalous Events
ICCS '09 Proceedings of the 9th International Conference on Computational Science: Part I
Anomaly intrusion detection for evolving data stream based on semi-supervised learning
ICONIP'08 Proceedings of the 15th international conference on Advances in neuro-information processing - Volume Part I
Towards early warning systems: challenges, technologies and architecture
CRITIS'09 Proceedings of the 4th international conference on Critical information infrastructures security
Anomaly detection in water management systems
Critical Infrastructure Protection
Incremental behavior modeling and suspicious activity detection
Pattern Recognition
Hi-index | 0.00 |
Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Safeguard architecture.