Intrusion Detection in Unstructured Contexts Using On-line Clustering and Novelty Detection

The characterization of processes behavior is usually considered whenperforming intrusion detection. Several works characterize specific aspects of systemsand attempt to detect novelties in that context, associating observed anomalies to at-tack events. Such approach is limited or even useless when the observed context isunstructured, i.e. when the monitor generates text-based log files or a variable numberof application attributes. In order to overcome such drawback, this paper considersthe use of single-pass clustering techniques to quantize unstructured data and generatetime series, using algorithms with low computational complexity, applicable in a real-world scenario. Afterward, novelty detection techniques are employed on such seriesto distinguish behavior anomalies, which are associated with intrusions. We evaluatedthe approach using a system characterization dataset and confirmed that it aggregatescontext information to represent the behavior of applications as time series, wherenovelty detection can be successfully performed.