Premium
Grid‐ and dummy‐cluster‐based learning of normal and intrusive clusters for computer intrusion detection
Author(s) -
Li Xiangyang,
Ye g
Publication year - 2002
Publication title -
quality and reliability engineering international
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.913
H-Index - 62
eISSN - 1099-1638
pISSN - 0748-8017
DOI - 10.1002/qre.477
Subject(s) - intrusion detection system , computer science , data mining , robustness (evolution) , scalability , computer cluster , grid , unix , anomaly based intrusion detection system , cluster analysis , network security , artificial intelligence , pattern recognition (psychology) , operating system , software , biochemistry , chemistry , geometry , mathematics , gene
As an important part of information security, computer intrusion detection aims at capturing intrusive activities occurring in computer and network systems. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer and network systems to detect intrusions in a scalable, incremental manner. This paper presents an application of an innovative data‐mining algorithm—CCAS—to intrusion detection through intrusion signature recognition. CCAS provides a scalable, incremental procedure to learn clusters of different classes (i.e. normal and intrusive classes) from historic training data of normal and intrusive activities in computer and network systems. These clusters of normal and intrusive computer activities are used to classify observed data of computer activities for intrusion detection. Two different methods of learning clusters are developed, tested and compared: grid based and dummy‐cluster based. Training and testing data are computer audit data produced by the Basic Security Module of a Solaris operating system to record activities in a UNIX‐based host machine. The two methods of CCAS are tested using four different input orders of training data points to examine the robustness (sensitivity) of these methods to the input order of training data points. The detection performance and robustness of both CCAS methods are analyzed. The testing results show that different input orders of training data have a certain impact on the performance of both methods. The impact on the performance of CCAS based on dummy clusters is more significant when all normal data are presented first, before attack data in the training data set. CCAS based on dummy clusters produces a better performance than grid‐based CCAS for three of the four input orders, and in overall produces fewer clusters and thus requires less computation time in clustering and classification for intrusion detection. Copyright © 2002 John Wiley & Sons, Ltd.