liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Adaptive Real-time Anomaly Detection for Safeguarding Critical Networks
Linköping University, Department of Computer and Information Science, RTSLAB. Linköping University, The Institute of Technology.
2006 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

Critical networks require defence in depth incorporating many different security technologies including intrusion detection. One important intrusion detection approach is called anomaly detection where normal (good) behaviour of users of the protected system is modelled, often using machine learning or data mining techniques. During detection new data is matched against the normality model, and deviations are marked as anomalies. Since no knowledge of attacks is needed to train the normality model, anomaly detection may detect previously unknown attacks.

In this thesis we present ADWICE (Anomaly Detection With fast Incremental Clustering) and evaluate it in IP networks. ADWICE has the following properties:

(i) Adaptation - Rather than making use of extensive periodic retraining sessions on stored off-line data to handle changes, ADWICE is fully incremental making very flexible on-line training of the model possible without destroying what is already learnt. When subsets of the model are not useful anymore, those clusters can be forgotten.

(ii) Performance - ADWICE is linear in the number of input data thereby heavily reducing training time compared to alternative clustering algorithms. Training time as well as detection time is further reduced by the use of an integrated search-index.

(iii) Scalability - Rather than keeping all data in memory, only compact cluster summaries are used. The linear time complexity also improves scalability of training.

We have implemented ADWICE and integrated the algorithm in a software agent. The agent is a part of the Safeguard agent architecture, developed to perform network monitoring, intrusion detection and correlation as well as recovery. We have also applied ADWICE to publicly available network data to compare our approach to related works with similar approaches. The evaluation resulted in a high detection rate at reasonable false positives rate.

Place, publisher, year, edition, pages
Institutionen för datavetenskap , 2006. , 146 p.
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1231
Keyword [en]
intrusion detection, anomaly detection, real-time, clustering, adaptation, IP networks
National Category
Computer Science
URN: urn:nbn:se:liu:diva-5973ISBN: 91-85497-23-1OAI: diva2:21588
2006-02-28, Visionen, Hus B, Campus Valla, Linköpings universitet, Linköping, 14:15 (English)
Report code: LiU-Tek-Lic-2006:12.Available from: 2006-03-20 Created: 2006-03-20 Last updated: 2009-02-17

Open Access in DiVA

fulltext(986 kB)2126 downloads
File information
File name FULLTEXT01.pdfFile size 986 kBChecksum SHA-1
Type fulltextMimetype application/pdf

Search in DiVA

By author/editor
Ring Burbeck, Kalle
By organisation
RTSLABThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 2126 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 1087 hits
ReferencesLink to record
Permanent link

Direct link