Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
BIRCH: an efficient data clustering method for very large databases
SIGMOD '96 Proceedings of the 1996 ACM SIGMOD international conference on Management of data
A view of the EM algorithm that justifies incremental, sparse, and other variants
Learning in graphical models
A high-performance network intrusion detection system
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Efficient algorithms for mining outliers from large data sets
SIGMOD '00 Proceedings of the 2000 ACM SIGMOD international conference on Management of data
FREM: fast and robust EM clustering for large data sets
Proceedings of the eleventh international conference on Information and knowledge management
Anomaly Detection over Noisy Data using Learned Probability Distributions
ICML '00 Proceedings of the Seventeenth International Conference on Machine Learning
Algorithms for Mining Distance-Based Outliers in Large Datasets
VLDB '98 Proceedings of the 24rd International Conference on Very Large Data Bases
Learning nonstationary models of normal network traffic for detecting novel attacks
Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining
Assisting Network Intrusion Detection with Reconfigurable Hardware
FCCM '02 Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Stateful Intrusion Detection for High-Speed Networks
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
ROCK: A Robust Clustering Algorithm for Categorical Attributes
ICDE '99 Proceedings of the 15th International Conference on Data Engineering
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Data mining approaches for intrusion detection
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Data mining-based intrusion detectors
Expert Systems with Applications: An International Journal
Characterizing network traffic by means of the NetMine framework
Computer Networks: The International Journal of Computer and Telecommunications Networking
Markovian workload modeling for Enterprise Application Servers
C3S2E '09 Proceedings of the 2nd Canadian Conference on Computer Science and Software Engineering
An efficient network intrusion detection
Computer Communications
A cooperative immunological approach for detecting network anomaly
Applied Soft Computing
Incremental SVM based on reserved set for network intrusion detection
Expert Systems with Applications: An International Journal
Research of adaptive immune network intrusion detection model
International Journal of Systems, Control and Communications
Automatic network intrusion detection: Current techniques and open issues
Computers and Electrical Engineering
A possibilistic approach to intrusion detection under imperfect logging protocol
Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.02 |
With the ever increasing deployment and usage of gigabit networks, traditional network anomaly detection based Intrusion Detection Systems (IDS) have not scaled accordingly. Most, if not all IDS assume the availability of complete and clean audit data. We contend that this assumption is not valid. Factors like noise, mobility of the nodes and the large amount of network traffic make it difficult to build a traffic profile of the network that is complete and immaculate for the purpose of anomaly detection. In this paper, we attempt to address these issues by presenting an anomaly detection scheme, called SCAN (Stochastic Clustering Algorithm for Network Anomaly Detection), that has the capability to detect intrusions with high accuracy even with incomplete audit data. To address the threats posed by network-based denial-of-service attacks in high speed networks, SCAN consists of two modules: an anomaly detection module that is at the core of the design and an adaptive packet sampling scheme that intelligently samples packets to aid the anomaly detection module. The noteworthy features of SCAN include: (a) it intelligently samples the incoming network traffic to decrease the amount of audit data being sampled while retaining the intrinsic characteristics of the network traffic itself; (b) it computes the missing elements of the sampled audit data by utilizing an improved expectation-maximization (EM) algorithm-based clustering algorithm; and (c) it improves the speed of convergence of the clustering process by employing Bloom filters and data summaries.