The University of Southampton
University of Southampton Institutional Repository

Unsupervised clustering approach for network anomaly detection

Unsupervised clustering approach for network anomaly detection
Unsupervised clustering approach for network anomaly detection
This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naïve Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques
k-means, em clustering, k-medoids, intrusion detection system, anomaly detection, outlier detection
Syarif, Iwan
d6c3eb92-73cf-463b-819c-d97d017e54b5
Prugel-Bennett, Adam
b107a151-1751-4d8b-b8db-2c395ac4e14e
Wills, Gary B.
3a594558-6921-4e82-8098-38cd8d4e8aa0
Syarif, Iwan
d6c3eb92-73cf-463b-819c-d97d017e54b5
Prugel-Bennett, Adam
b107a151-1751-4d8b-b8db-2c395ac4e14e
Wills, Gary B.
3a594558-6921-4e82-8098-38cd8d4e8aa0

Syarif, Iwan, Prugel-Bennett, Adam and Wills, Gary B. (2012) Unsupervised clustering approach for network anomaly detection. Fourth International Conference on Networked Digital Technologies (NDT 2012), Dubai, United Arab Emirates. 24 - 26 Apr 2012. 11 pp .

Record type: Conference or Workshop Item (Paper)

Abstract

This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naïve Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques

Text
Unsupervised_Clustering_and_Outlier_Detection_approach_for_network_anomaly_detection_-_camera_ready_new.pdf - Version of Record
Download (126kB)

More information

Published date: 24 April 2012
Venue - Dates: Fourth International Conference on Networked Digital Technologies (NDT 2012), Dubai, United Arab Emirates, 2012-04-24 - 2012-04-26
Related URLs:
Keywords: k-means, em clustering, k-medoids, intrusion detection system, anomaly detection, outlier detection
Organisations: Electronics & Computer Science

Identifiers

Local EPrints ID: 338221
URI: http://eprints.soton.ac.uk/id/eprint/338221
PURE UUID: da852e4c-1097-46c4-9859-58f11fb117de
ORCID for Gary B. Wills: ORCID iD orcid.org/0000-0001-5771-4088

Catalogue record

Date deposited: 14 May 2012 10:56
Last modified: 15 Mar 2024 02:51

Export record

Contributors

Author: Iwan Syarif
Author: Adam Prugel-Bennett
Author: Gary B. Wills ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×