Unsupervised clustering approach for network anomaly detection

Syarif, Iwan, Prugel-Bennett, Adam and Wills, Gary B. (2012) Unsupervised clustering approach for network anomaly detection At Fourth International Conference on Networked Digital Technologies (NDT 2012), United Arab Emirates. 24 - 26 Apr 2012. 11 pp.


[img] PDF Unsupervised_Clustering_and_Outlier_Detection_approach_for_network_anomaly_detection_-_camera_ready_new.pdf - Version of Record
Download (126kB)


This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naïve Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques

Item Type: Conference or Workshop Item (Paper)
Venue - Dates: Fourth International Conference on Networked Digital Technologies (NDT 2012), United Arab Emirates, 2012-04-24 - 2012-04-26
Related URLs:
Keywords: k-means, em clustering, k-medoids, intrusion detection system, anomaly detection, outlier detection
Organisations: Electronics & Computer Science
ePrint ID: 338221
Date :
Date Event
24 April 2012Published
Date Deposited: 14 May 2012 10:56
Last Modified: 17 Apr 2017 17:10
Further Information:Google Scholar
URI: http://eprints.soton.ac.uk/id/eprint/338221

Actions (login required)

View Item View Item