Intrusion signature creation via clustering anomalies

Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to detect and block multi- stage attacks. Because of the speed and impacts of new types of cyber attacks, current IDSs are limited in providing accurate detection while reliably adapting to new attacks. In signature-based IDS systems, this limitation is made apparent by the latency from day zero of an attack to the creation of an appropriate signature. This work hypothesizes that this latency can be shortened by creating signatures via anomaly-based algorithms. A hybrid supervised and unsupervised clustering algorithm is proposed for new signature creation. These new signatures created in real-time would take effect immediately, ideally detecting new attacks. This work first investigates a modified density-based clustering algorith m as an IDS, with its strengths and weaknesses identified. A signa ture creation algorithm leveraging the summarizing abilities of clustering is investigated. Lessons learned from the sup ervised signature creation are then leveraged for the devel op- ment of unsupervised real-time signature classification. A utomating signature creation and classification via cluste ring is demonstrated as satisfactory but with limitations.