Skip to main content
SpringerLink
Log in

Network Anomaly Detection Based on Clustering of Sequence Patterns

  • Conference paper
Computational Science and Its Applications - ICCSA 2006 (ICCSA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3981))

Included in the following conference series:

Abstract

Anomaly detection is a method for determining behaviors which do not accord with normal ones. It is mostly used for detecting abnormal behaviors, mutational and unknown attacks. In this paper, we propose a technique that generates patterns about network-based normal behaviors in blocks of a TCP network session for the anomaly detection. One session is expressed as one pattern based on a stream of the packets in the session, and thus the pattern we generate has a sequential feature. We use the ROCK algorithm to cluster the sequence patterns which have categorical attributes. This algorithm performs clustering based on our similarity function which uses Dynamic Programming. The many sequence patterns of the normal behaviors can be reduced to several representative sequence patterns using the clustering. Our detecting sensor uses profiling dataset that are constructed by the representative sequence patterns of normal behaviors. We show the effectiveness of proposed model by using results from the 1999 DARPA Intrusion Detection Evaluation.

This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Guha, S., Rastogi, R., Sim, K.: A Clustering algorithm for categorical attributes. Technical report, Bell Laboratories, Murray Hill (1997)

    Google Scholar 

  2. Guha, S., Rastogi, R., Sim, K.: ROCK: A robust clustering algorithm for categorical attributes. In: Proc. IEEE International Conference on Data Engineering, Sydney (March 1999)

    Google Scholar 

  3. MacQueen, J.: Some methods for classifiction and analysis of multivariate observations. In: Proc. 5th Berkeley Symp., pp. 281–297 (1967)

    Google Scholar 

  4. Cheong, I.-A., Kim, Y.-M., Kim, M.-S., Noh, B.-N.: The Causality Analysis of Protocol Measures for Detection of Attacks based on Network. In: Kahng, H.-K., Goto, S. (eds.) ICOIN 2004. LNCS, vol. 3090, pp. 962–972. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  5. Ng, R., Han, J.: Efficient and effective clustering method for spatial data mining. In: Proc. 1994 Int’l Conf. on VLDB, Santiago, Chile, pp.144–155 (September 1994)

    Google Scholar 

  6. Bloedorn, E., Christiansen, A.D., Hill, W., Skorupka, C., Talbot, L.M., Tivel, J.: Data mining for network intrusion detection: How to get started. MITRE Technical Report (August 2001)

    Google Scholar 

  7. Ramaswarny, S., Rastogi, R., Shim, K.: Efficient Algorithms for Mining Outliers from Large Data Sets. In: Proceedings of the ACM Sigmod 2000 Int. Conference on Management of Data, Dallas, TX (2000)

    Google Scholar 

  8. Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: LOF: Identifying Density-Based Local Outliers. In: Proc. of the ACM Sigmod 2000 Intl. Conference on Management of Data, Dallas, TX (2000)

    Google Scholar 

  9. Knorr, E.M., Ng, R.T.: Algorithms for Mining Distance-Based Outliers in Large Datasets. In: VLDB 1998, Proceedings of the 24th Int. Conference on Very Large Databases, New York City, NY, August 24-27, pp. 392-403 (1998)

    Google Scholar 

  10. Denning, D.E.: An intrusion-detection model. IEEE Transactions on Software Engineering 13(2), 222–232 (1987)

    Article  Google Scholar 

  11. Sequeira, K., Zaki, M.: ADMIT: Anomaly-based data mining for intrusions. In: KDD 2002, pp. 386–395 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Interdisciplinary Program of Information Security, Chonnam National University, 500-757, Gwangju, Korea

    Sang-Kyun Noh

  2. Dept. of Electronic Commerce, Chonnam National University, 550-749, Yeosu, Korea

    Yong-Min Kim

  3. Div. of Electronics Computer & Information Engineering, Chonnam National University, 500-757, Gwangju, Korea

    DongKook Kim & Bong-Nam Noh

Authors
  1. Sang-Kyun Noh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yong-Min Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. DongKook Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bong-Nam Noh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina L. Gavrilova

  2. Department of Mathematics and Computer Science, University of Perugia, via Vanvitelli, 1, I-06123, Perugia, Italy

    Osvaldo Gervasi

  3. William Norris Professor, Head of the Computer Science and Engineering Department, University of Minnesota, USA

    Vipin Kumar

  4. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  5. Clayton School of IT, Monash University, 3800, Clayton, Australia

    David Taniar

  6. Department of Chemistry, University of Perugia, Via Elce di Sotto, 8, I-06123, Perugia, Italy

    Antonio Laganá

  7. School of Computing, Soongsil University, Seoul, Korea

    Youngsong Mun

  8. School of Information and Communication Engineering, Sungkyunkwan University, Korea

    Hyunseung Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Noh, SK., Kim, YM., Kim, D., Noh, BN. (2006). Network Anomaly Detection Based on Clustering of Sequence Patterns. In: Gavrilova, M.L., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3981. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751588_37

Download citation

  • DOI: https://doi.org/10.1007/11751588_37

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34072-0

  • Online ISBN: 978-3-540-34074-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation