Please wait a minute...
FITEE
Front. Inform. Technol. Electron. Eng.  2010, Vol. 11 Issue (10): 778-784    DOI: 10.1631/jzus.C0910625
    
A new data normalization method for unsupervised anomaly intrusion detection
Long-zheng Cai*,1, Jian Chen2, Yun Ke1, Tao Chen1, Zhi-gang Li1
1 Engineering and Commerce College, South-Central University for Nationalities, Wuhan 430065, China 2 Guangdong Institute of Science and Technology, Zhuhai 519090, China
Download:   PDF(0KB)
Export: BibTeX | EndNote (RIS)      

Abstract  Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data. This paper studies the application of clustering to unsupervised anomaly detection (ACUAD). Data records are mapped to a feature space. Anomalies are detected by determining which points lie in the sparse regions of the feature space. A critical element for this method to be effective is the definition of the distance function between data records. We propose a unified normalization distance framework for records with numeric and nominal features mixed data. A heuristic method that computes the distance for nominal features is proposed, taking advantage of an important characteristic of nominal features—their probability distribution. Then, robust methods are proposed for mapping numeric features and computing their distance, these being able to tolerate the impact of the value difference in scale and diversification among features, and outliers introduced by intrusions. Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.

Key wordsUnsupervised anomaly detection      Data mining      Intrusion detection      Network security     
Received: 18 October 2009      Published: 30 September 2010
CLC:  TP393.08  
Fund:  Project supported by the PhD Foundation of Engineering and Commerce College, South-Central University for Nationalities, China
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Long-zheng Cai
Jian Chen
Yun Ke
Tao Chen
Zhi-gang Li
Cite this article:

Long-zheng Cai, Jian Chen, Yun Ke, Tao Chen, Zhi-gang Li. A new data normalization method for unsupervised anomaly intrusion detection. Front. Inform. Technol. Electron. Eng., 2010, 11(10): 778-784.

URL:

http://www.zjujournals.com/xueshu/fitee/10.1631/jzus.C0910625     OR     http://www.zjujournals.com/xueshu/fitee/Y2010/V11/I10/778


A new data normalization method for unsupervised anomaly intrusion detection

Unsupervised anomaly detection can detect attacks without the need for clean or labeled training data. This paper studies the application of clustering to unsupervised anomaly detection (ACUAD). Data records are mapped to a feature space. Anomalies are detected by determining which points lie in the sparse regions of the feature space. A critical element for this method to be effective is the definition of the distance function between data records. We propose a unified normalization distance framework for records with numeric and nominal features mixed data. A heuristic method that computes the distance for nominal features is proposed, taking advantage of an important characteristic of nominal features—their probability distribution. Then, robust methods are proposed for mapping numeric features and computing their distance, these being able to tolerate the impact of the value difference in scale and diversification among features, and outliers introduced by intrusions. Empirical experiments with the KDD 1999 dataset showed that ACUAD can detect intrusions with relatively low false alarm rates compared with other approaches.

关键词: Unsupervised anomaly detection,  Data mining,  Intrusion detection,  Network security 
[1] Yue-bin LUO, Bao-sheng WANG, Xiao-feng WANG, Bo-feng ZHANG. A keyed-hashing based self-synchronization mechanism for port address hopping communication[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(5): 719-728.
[2] Gui-lin CAI, Bao-sheng WANG, Qian-qian XING. Game theoretic analysis for the mechanism of moving target defense[J]. Front. Inform. Technol. Electron. Eng., 2017, 18(12): 2017-2034.
[3] Guang-jia Song, Zhen-zhou Ji. Anonymous-address-resolution model[J]. Front. Inform. Technol. Electron. Eng., 2016, 17(10): 1044-1055.
[4] Ahmad Karim, Rosli Bin Salleh, Muhammad Shiraz, Syed Adeel Ali Shah, Irfan Awan, Nor Badrul Anuar. Botnet detection techniques: review, future trends, and issues[J]. Front. Inform. Technol. Electron. Eng., 2014, 15(11): 943-983.
[5] Yun Niu, Li-ji Wu, Yang Liu, Xiang-min Zhang, Hong-yi Chen. A 10 Gbps in-line network security processor based on configurable hetero-multi-cores[J]. Front. Inform. Technol. Electron. Eng., 2013, 14(8): 642-651.