liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Adaptive Real-time Anomaly Detection for Safeguarding Critical Networks
Linköping University, Department of Computer and Information Science, RTSLAB. Linköping University, The Institute of Technology.
2006 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

Critical networks require defence in depth incorporating many different security technologies including intrusion detection. One important intrusion detection approach is called anomaly detection where normal (good) behaviour of users of the protected system is modelled, often using machine learning or data mining techniques. During detection new data is matched against the normality model, and deviations are marked as anomalies. Since no knowledge of attacks is needed to train the normality model, anomaly detection may detect previously unknown attacks.

In this thesis we present ADWICE (Anomaly Detection With fast Incremental Clustering) and evaluate it in IP networks. ADWICE has the following properties:

(i) Adaptation - Rather than making use of extensive periodic retraining sessions on stored off-line data to handle changes, ADWICE is fully incremental making very flexible on-line training of the model possible without destroying what is already learnt. When subsets of the model are not useful anymore, those clusters can be forgotten.

(ii) Performance - ADWICE is linear in the number of input data thereby heavily reducing training time compared to alternative clustering algorithms. Training time as well as detection time is further reduced by the use of an integrated search-index.

(iii) Scalability - Rather than keeping all data in memory, only compact cluster summaries are used. The linear time complexity also improves scalability of training.

We have implemented ADWICE and integrated the algorithm in a software agent. The agent is a part of the Safeguard agent architecture, developed to perform network monitoring, intrusion detection and correlation as well as recovery. We have also applied ADWICE to publicly available network data to compare our approach to related works with similar approaches. The evaluation resulted in a high detection rate at reasonable false positives rate.

Place, publisher, year, edition, pages
Institutionen för datavetenskap , 2006. , 146 p.
Series
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1231
Keyword [en]
intrusion detection, anomaly detection, real-time, clustering, adaptation, IP networks
National Category
Computer Science
Identifiers
URN: urn:nbn:se:liu:diva-5973ISBN: 91-85497-23-1 (print)OAI: oai:DiVA.org:liu-5973DiVA: diva2:21588
Presentation
2006-02-28, Visionen, Hus B, Campus Valla, Linköpings universitet, Linköping, 14:15 (English)
Opponent
Supervisors
Note
Report code: LiU-Tek-Lic-2006:12.Available from: 2006-03-20 Created: 2006-03-20 Last updated: 2009-02-17

Open Access in DiVA

fulltext(986 kB)2249 downloads
File information
File name FULLTEXT01.pdfFile size 986 kBChecksum SHA-1
be05bf00d2cee2732abc47a2970b919def770a53abe7d5016a2159a6bac78bbf347d653a
Type fulltextMimetype application/pdf

Authority records BETA

Ring Burbeck, Kalle

Search in DiVA

By author/editor
Ring Burbeck, Kalle
By organisation
RTSLABThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 2249 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1197 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf