The University of Southampton
University of Southampton Institutional Repository

Unsupervised clustering approach for network anomaly detection

Syarif, Iwan, Prugel-Bennett, Adam and Wills, Gary B. (2012) Unsupervised clustering approach for network anomaly detection At Fourth International Conference on Networked Digital Technologies (NDT 2012), United Arab Emirates. 24 - 26 Apr 2012. 11 pp.

Record type: Conference or Workshop Item (Paper)


This paper describes the advantages of using the anomaly detection approach over the misuse detection technique in detecting unknown network intrusions or attacks. It also investigates the performance of various clustering algorithms when applied to anomaly detection. Five different clustering algorithms: k-Means, improved k-Means, k-Medoids, EM clustering and distance-based outlier detection algorithms are used. Our experiment shows that misuse detection techniques, which implemented four different classifiers (naïve Bayes, rule induction, decision tree and nearest neighbour) failed to detect network traffic, which contained a large number of unknown intrusions; where the highest accuracy was only 63.97% and the lowest false positive rate was 17.90%. On the other hand, the anomaly detection module showed promising results where the distance-based outlier detection algorithm outperformed other algorithms with an accuracy of 80.15%. The accuracy for EM clustering was 78.06%, for k-Medoids it was 76.71%, for improved k-Means it was 65.40% and for k-Means it was 57.81%. Unfortunately, our anomaly detection module produces high false positive rate (more than 20%) for all four clustering algorithms. Therefore, our future work will be more focus in reducing the false positive rate and improving the accuracy using more advance machine learning techniques

PDF Unsupervised_Clustering_and_Outlier_Detection_approach_for_network_anomaly_detection_-_camera_ready_new.pdf - Version of Record
Download (126kB)

More information

Published date: 24 April 2012
Venue - Dates: Fourth International Conference on Networked Digital Technologies (NDT 2012), United Arab Emirates, 2012-04-24 - 2012-04-26
Related URLs:
Keywords: k-means, em clustering, k-medoids, intrusion detection system, anomaly detection, outlier detection
Organisations: Electronics & Computer Science


Local EPrints ID: 338221
PURE UUID: da852e4c-1097-46c4-9859-58f11fb117de
ORCID for Gary B. Wills: ORCID iD

Catalogue record

Date deposited: 14 May 2012 10:56
Last modified: 18 Jul 2017 05:58

Export record


Author: Iwan Syarif
Author: Adam Prugel-Bennett
Author: Gary B. Wills ORCID iD

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton:

ePrints Soton supports OAI 2.0 with a base URL of

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.