liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
ADWICE - Anomaly detection with real-time incremental clustering
Linköping University, Department of Computer and Information Science, RTSLAB - Real-Time Systems Laboratory. Linköping University, The Institute of Technology.
Linköping University, Department of Computer and Information Science, RTSLAB - Real-Time Systems Laboratory. Linköping University, The Institute of Technology.
2005 (English)In: Information Security and Cryptology - ICISC 2004: 7th International Conference, Seoul, Korea, December 2-3, 2004, Revised Selected Papers / [ed] Choon-sik Park and Seongtaek Chee, Springer Berlin/Heidelberg, 2005, Vol. 3506, 407-424 p.Chapter in book (Refereed)
Abstract [en]

Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Safeguard architecture.

Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2005. Vol. 3506, 407-424 p.
Series
Lecture Notes in Computer Science, ISSN 0302-9743 (print), 1611-3349 (online) ; 3506
Series
Lecture Notes in Computer Science, ISSN 0302-9743 ; 3506
Keyword [en]
intrusion detection, anomaly detection, adaptability, real-time, clustering
National Category
Engineering and Technology
Identifiers
URN: urn:nbn:se:liu:diva-48186DOI: 10.1007/11496618_30ISBN: 978-3-540-26226-8 (print)ISBN: 3-540-26226-1 (print)OAI: oai:DiVA.org:liu-48186DiVA: diva2:269082
Available from: 2009-10-11 Created: 2009-10-11 Last updated: 2013-10-15Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textfind book at a swedish library/hitta boken i ett svenskt bibliotek

Authority records BETA

Burbeck, Kalle RingNadjm-Tehrani, Simin

Search in DiVA

By author/editor
Burbeck, Kalle RingNadjm-Tehrani, Simin
By organisation
RTSLAB - Real-Time Systems LaboratoryThe Institute of Technology
Engineering and Technology

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 102 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf