ADWICE - Anomaly detection with real-time incremental clustering
2005 (English)In: Information Security and Cryptology - ICISC 2004: 7th International Conference, Seoul, Korea, December 2-3, 2004, Revised Selected Papers / [ed] Choon-sik Park and Seongtaek Chee, Springer Berlin/Heidelberg, 2005, Vol. 3506, 407-424 p.Chapter in book (Refereed)
Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Safeguard architecture.
Place, publisher, year, edition, pages
Springer Berlin/Heidelberg, 2005. Vol. 3506, 407-424 p.
Lecture Notes in Computer Science, ISSN 0302-9743 (print), 1611-3349 (online) ; 3506
, Lecture Notes in Computer Science, ISSN 0302-9743 ; 3506
intrusion detection, anomaly detection, adaptability, real-time, clustering
Engineering and Technology
IdentifiersURN: urn:nbn:se:liu:diva-48186DOI: 10.1007/11496618_30ISBN: 978-3-540-26226-8ISBN: 3-540-26226-1OAI: oai:DiVA.org:liu-48186DiVA: diva2:269082