Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2003.10C.7.857

Clustering Normal User Behavior for Anomaly Intrusion Detection  

Oh, Sang-Hyun (연세대학교 대학원 컴퓨터과학과)
Lee, Won-Suk (연세대학교 컴퓨터과학과)
Publication Information
The KIPS Transactions:PartC / v.10C, no.7, 2003 , pp. 857-866 More about this Journal
Abstract
For detecting an intrusion based on the anomaly of a user's activities, previous works are concentrated on statistical techniques in order to analyze an audit data set. However. since they mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. In this paper, a new clustering algorithm for modeling the normal pattern of a user's activities is proposed. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Also, clustering can be used to model common knowledge occurring frequently in a set of transactions. Consequently, the common activities of a user can be found more accurately. The common knowledge is represented by the occurrence frequency of similar data objects by the unit of a transaction as veil as the common repetitive ratio of similar data objects in each transaction. Furthermore, the proposed method also addresses how to maintain identified common knowledge as a concise profile. As a result, the profile can be used to detect any anomalous behavior In an online transaction.
Keywords
Intrusion Detection; Anomaly Detection; Data Mining; Clustering; User Profiling;
Citations & Related Records
연도 인용수 순위
  • Reference
1 B. Mukherjee, T. L. Heberlein and K. N. Kevitt, 'Network intrusion Detection,' IEEE Network, Vol. 8, No. 3, pp. 26-41, May/June, 1994   DOI   ScienceOn
2 K. Illgun, 'USTAT : A Real-Time Intrusion Detection System for UNIX,' in Proc. Of the 1993 Symposium Security and Privacy, pp. 16-28, May, 1993   DOI
3 T. D. Garvey and Teresa, F. Lunt, 'Model based intrusion detection,' In Proc. Of the 14th National Computer Security Conference, pp. 372-385, October, 1991
4 H. S. Javitz, A. Valdes, 'The SRIIDES Statistical Anomaly Detector,' In Proc. of the 1991 IEEE Symposium on Research in Security and Privacy, May, 1991
5 W. Wnag, J. Yang and R. Muntz, STING : A statistical information grid approach to spatial data mining, 1997
6 Harold S. Javitz and Alfonso Valdes, The NIDES Statistical Component Description and Justification, Annual report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94025, March, 1994
7 Phillip A. Porras and Peter G. Neumann, 'EMERALD : Event Monitoring Enabling Responses to Anomalous Live Disturbances,' 20th NISSC, October, 1997
8 Martin Ester, Hans-Peter Kriegel, Sander, Michael Wimmer, Xiaowei Xu, 'Incremental Clustering for Mining in a Data Warehousing Environment,' Proceedings of the 24th VLDB Conference, New York, USA, 1998
9 Henry S. Teng, Kaihu Chen and Stephen C. Lu, 'Security Audit Trail Analysis Using Inductively Generated Predictive Rules,' In Proceedings of the Sixth Conference on Artificial Intelligence Applications, Piscataway, New Jersey, pp. 24-29, March, 1990   DOI
10 Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'CURE : An Effeicient Clustering Algorithm for Large Databases,' ACM SIGMOD International Conference on Management of Data, Seattle, Washington, 1998
11 MacQueen, J., 'Some Methods for Classification and Analyisis of Multivariate Observations,' Proc. 5th Berkeley Symp., pp. 281-297, 1967
12 Kaufman, L. and Rouseeuw, P., Finding Groups in Data : an Introduction to Cluster Analysis, John Wiley & Sons, 1990
13 http://www.ll.mit.edu/IST/ideval/index.html
14 R. Agrawal, R. Srikant, 'Fast Algorithms for Mining Association Rules,' Proc. of the 20th Int'l Conference on Very Large Databases, Santiago, Chile, Sept., 1994
15 Tian Zhang, Raghu Ramakrishnan and Miron Livny, 'Birch : An Efficient data clustering method for very large databases,' Proceedings for the ACM SIGMOD Conference on Management of Data, Montreal, Canada, June, 1996   DOI   ScienceOn
16 Rakesh Agrawal, Johannes Gehrke, Dimitrios Gunopulos, Prabhakar Raghavan, 'Automatic Subspace Clustering of High Dimensional Data for Data Mining Applications,' Proc. of the ACM SIGMOD Int'l Conference on Management of Data, Seattle, Washington, June, 1998   DOI   ScienceOn
17 R. Agrawal, R. Srikant, 'Mining Sequential Patterns,' Proc. of the Int'l Conference on Data Engineering (ICDE), Taipei, Taiwan, March, 1995
18 Sun Microsystems. SunShield Basic Security Module Guide