Please wait a minute...
FITEE
Front. Inform. Technol. Electron. Eng.  2010, Vol. 11 Issue (10): 778-784    DOI: 10.1631/jzus.C0910625
    
A new data normalization method for unsupervised anomaly intrusion detection
Long-zheng Cai*,1, Jian Chen2, Yun Ke1, Tao Chen1, Zhi-gang Li1
1 Engineering and Commerce College, South-Central University for Nationalities, Wuhan 430065, China 2 Guangdong Institute of Science and Technology, Zhuhai 519090, China
A new data normalization method for unsupervised anomaly intrusion detection
Long-zheng Cai*,1, Jian Chen2, Yun Ke1, Tao Chen1, Zhi-gang Li1
1 Engineering and Commerce College, South-Central University for Nationalities, Wuhan 430065, China 2 Guangdong Institute of Science and Technology, Zhuhai 519090, China
 全文: PDF 
摘要: Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data. This paper studies the application of clustering to unsupervised anomaly detection (ACUAD). Data records are mapped to a feature space. Anomalies are detected by determining which points lie in the sparse regions of the feature space. A critical element for this method to be effective is the definition of the distance function between data records. We propose a unified normalization distance framework for records with numeric and nominal features mixed data. A heuristic method that computes the distance for nominal features is proposed, taking advantage of an important characteristic of nominal features—their probability distribution. Then, robust methods are proposed for mapping numeric features and computing their distance, these being able to tolerate the impact of the value difference in scale and diversification among features, and outliers introduced by intrusions. Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.
关键词: Unsupervised anomaly detectionData miningIntrusion detectionNetwork security    
Abstract: Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data. This paper studies the application of clustering to unsupervised anomaly detection (ACUAD). Data records are mapped to a feature space. Anomalies are detected by determining which points lie in the sparse regions of the feature space. A critical element for this method to be effective is the definition of the distance function between data records. We propose a unified normalization distance framework for records with numeric and nominal features mixed data. A heuristic method that computes the distance for nominal features is proposed, taking advantage of an important characteristic of nominal features—their probability distribution. Then, robust methods are proposed for mapping numeric features and computing their distance, these being able to tolerate the impact of the value difference in scale and diversification among features, and outliers introduced by intrusions. Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.
Key words: Unsupervised anomaly detection    Data mining    Intrusion detection    Network security
收稿日期: 2009-10-18 出版日期: 2010-09-30
CLC:  TP393.08  
基金资助: Project supported by the PhD Foundation of Engineering and Commerce College, South-Central University for Nationalities, China
通讯作者: Long-zheng CAI     E-mail: charlescai@yahoo.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  
Long-zheng Cai
Jian Chen
Yun Ke
Tao Chen
Zhi-gang Li

引用本文:

Long-zheng Cai, Jian Chen, Yun Ke, Tao Chen, Zhi-gang Li. A new data normalization method for unsupervised anomaly intrusion detection. Front. Inform. Technol. Electron. Eng., 2010, 11(10): 778-784.

链接本文:

http://www.zjujournals.com/xueshu/fitee/CN/10.1631/jzus.C0910625        http://www.zjujournals.com/xueshu/fitee/CN/Y2010/V11/I10/778

[1] Yue-bin LUO, Bao-sheng WANG, Xiao-feng WANG, Bo-feng ZHANG. A keyed-hashing based self-synchronization mechanism for port address hopping communication[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(5): 719-728.
[2] Gui-lin CAI, Bao-sheng WANG, Qian-qian XING. Game theoretic analysis for the mechanism of moving target defense[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(12): 2017-2034.
[3] Yun Niu, Li-ji Wu, Yang Liu, Xiang-min Zhang, Hong-yi Chen. A 10 Gbps in-line network security processor based on configurable hetero-multi-cores[J]. Front. Inform. Technol. Electron. Eng., 2013, 14(8): 642-651.