Hu Liang,Ren Wei-wu,Ren Fei

DOI: https://doi.org/10.1109/AICI.2009.239

2009-01-01

Abstract:Most anomaly detection methods can not be fit for the changing and complex network. High noise and updating normality profiles not in time will lead to high false alarm rate. In this paper, a new anomaly detection algorithm using improved hierarchy clustering, called ADIHC, is proposed in this paper. It applies an improved hierarchy clustering tree to organize clusters which are obtained by density-based partitioning method. We extend the clustering algorithm and apply branch and bound method for filtering noise. With the help of two advantages: filtering noise and updating normality profiles at any time, our algorithm is suitable for the changing and complex network. A series of experimental results on well known KDD Cup 1999 dataset indicate that ADIHC has superior performance of detection and meets more real-time requirements of intrusion detection system.

Ren Wei-wu,Hu Liang,Zhao Kuo,Chu Jianfeng

DOI: https://doi.org/10.4304/jnw.8.3.672-679

2013-01-01

Abstract:For the purpose of improving real time and profiles accuracy, a parallel anomaly detection algorithm based on hierarchical clustering has been proposed. Training and predicting are two busiest processes and they are parallel designed and implemented. Moreover, an abnormal cluster feature tree is built to dig anomalies from normal profiles. A series of experiment results on well-known KDD Cup 1999 data sets indicate that the improved algorithm has superior performance in both detection and real time.

HU Liang,REN Wei-wu,REN Fei,LIU Xiao-bo,JIN Gang

DOI: https://doi.org/10.3321/j.issn:1671-5489.2009.05.021

2009-01-01

Abstract:This paper proposes an Anomaly Detection algorithm based on Improved Density Clustering(ADIDC).The improved algorithm adopts clustering features separately on individual characteristic arranges and weighting features by the correlativity between the features and the normal profile.It can solve the frequent problem of the high false positive rate on clustering in the application of anomaly detection.A series of experiments on well known KDD Cup 1999 dataset demonstrates that it has a lower false positive rate,especially ensuring high detection rate with respect to the traditional anomaly detection methods.The detection of the special attack which resembles the normal act is obviously improved.In addtion,the detection performace can be further optimized by feature selection via feature weights.It makes the proposed algorithm more suitable for the real-time detection.

Fei Ren,Liang Hu,Hao Liang,Xiaobo Liu,Weiwu Ren

DOI: https://doi.org/10.1109/CSSE.2008.811

2008-01-01

Abstract:This paper proposed a new anomaly detection algorithm that can update normal profile of system usage pattern dynamically. The feature used to model system’s usage pattern was program behavior. When system usage pattern changed, new program behaviors will be inserted into old profiles by density-based incremental clustering. Compared to traditional re-clustering updating, it is much more efficiently. Experiments with 1998 DARPA BSM audit data, shows that normal profiles generated by our algorithm is less sensitive to noise data objects than profile generated by analogous incremental algorithm ADWICE. So our algorithm shows an incremental detection quality and a much lower false alarm rate.

Fei Ren,Liang Hu,Kuo Zhao,Hao Liang,Weiwu Ren

2009-01-01

Journal of Information and Computational Science

Abstract:As web data is increasing at an exponential rate, it is impossible for safety devices to dealing with the large scale data by the traditional way. For saving the calculation and storage resources on safety devices, incremental intrusion detection algorithm becomes a research focus. It can make a good use of existed processing results on web data set. In this paper, a network anomaly detection algorithm ADIC using incremental density-based clustering is proposed. The algorithm clusters on each feature of the training data set. The properties of a cluster are described by a statistical profile. The collection of all statistical profiles on training data set is used to monitor the target system and detect intruders. The updating algorithm of insertion and is explored to adjust existing clusters and statistical profiles real-timely. Due to the density-based nature, updating operations affects the former clusters only in a small range neighborhood of the inserted or deleted training instances. Thus, our algorithm is efficient enough to meet the request of real-time detection and updating. The comparison experiment with ADWICE algorithm on KDDCUP99 reflects that our algorithm has a better performance on incremental data processing and higher detection quality. Copyright ©2009 Binary Information Press.

Peng Shi,Zhen Zhao,Huaqiang Zhong,Hangyu Shen,Lianhong Ding

DOI: https://doi.org/10.1002/cpe.6077

2021-01-01

Abstract:SummaryAnomaly detection tries to find out the data that disobeys the rule of majority data or expected patterns. The traditional hierarchical clustering algorithms have been adopted to detect anomaly, but have the disadvantages of low effectiveness and unstability. So we propose an improved agglomerative hierarchical clustering method for anomaly detection. It dynamically adjusts the optimum clustering number according to the self‐defined criterion to save the trouble of manually picking clustering number, and determines the optimum clustering distance mode according to cophenetic correlation coefficient to reduce the procedure of manually testing the suitable distance mode in each iteration. The performances of proposed method are verified on tensile test, HTRU2 and credit card dataset. Compared with the traditional methods, our method possesses the most comprehensive performance (the highest F‐measure with less iterations), which shows effectiveness of anomaly detection. And compared with the traditional methods (single, complete, average, and centroid mode), our method achieves the best performance on tensile test and HTRU2 dataset, showing stronger generalization. Compared with other methods (Decision + Gradient Boosted Tree, Decision Trees + Decision Stump, etc) on credit card dataset, our method obtains similar accuracy, and ranks in the top level in the aspect of sensitivity.

Liang Hu,Nurbol,Zhiyu Liu,Jinshan He,Kuo Zhao

DOI: https://doi.org/10.4103/0256-4602.62784

2010-01-01

IETE Technical Review

Abstract:Anomaly detection, as an important complement to misuse detection, has the capability of finding and foiling both known and "zero day" attacks. Performing anomaly detection in real time places hard requirement on the algorithms used. It makes many detection techniques based on proposed data mining algorithms less suitable to be used under real-time network circumstances. To address the problem, a novel anomaly detection algorithm using time-stamped clustering is proposed. In this paper, the normality model used for detection is the clustering result of BIRCH. Once a cluster is generated or modified in the tree index of BIRCH, it will be marked by a lasted modified time-stamp and frequent item. Using each clusters time-stamp and frequent item, the algorithm can dynamically remove some expired clusters from the model, and can also produce some new clusters that makes our clustering method more suitable for the real network environment. Experiments with the KDDCUP 1999 dataset show that our algorithm is less sensitive to noise data objects than ADWICE and has lower computer resource consumption.

LI Na,ZHONG Cheng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.02.040

2008-01-01

Abstract:Information entropy theory is applied to the clustering problem for intrusion detection,and the distances for mixed attributes between two data items,data and clusters,and two clusters are defined. By applying overall similarity to evaluate the cluster quality for merging clusters,an unsupervised anomaly detection algorithm based on partition and agglomerative hierarchical clustering,is presented. The algorithm analysis and experimental results show that this algorithm obtains good detection performance and can detect efficiently the new unknown intrusions.

Ma Li,Bai Lin,Jiao Li-cheng,Chen Chang-guo

DOI: https://doi.org/10.1109/iccias.2006.294205

2006-01-01

Abstract:Adaptive polyclonal algorithm is the improved one of clonal selection algorithm, and its convergence speed is much faster. This paper intends to direct a novel clustering analysis by means of the affinity function that the adaptive polyclonal clustering strategy affects. The clustering algorithm has the advantage that it does not depend on priori knowledge and has nothing to do data distribution, effectively overcoming the disadvantage that some existing algorithms are sensitive to initialization and easy to be trapped into the local optima. This algorithm clusters large data sets with mixed numeric and categorical values effectively. The intrusion detection system based on this algorithm can deal with massive unlabeled data to distinguish between normal and anomaly and even can detect unknown attacks. The computer comparison-contrast simulations through the KDD CUP 99 datasets show that the algorithm discussed in this paper has much superior detection rate and less false positive rate when compared with AiNet algorithm, the algorithm of L. Portnoy (2000) and the algorithm of L. Jing and L. Fang (2004)

Weiwu Ren,Liang Hu,Kuo Zhao,Jianfeng Chu

DOI: https://doi.org/10.12733/jcis6597

2013-01-01

Journal of Computational Information Systems

Abstract:Decision tree and hierarchical clustering in application of the field of intrusion detection have its own advantages and disadvantages. For purposes of covering up the shortcomings of each other and searching an optimal balance between them, a multiple-level hybrid intrusion detection system based on hierarchical clustering and decision tree has been proposed. Misuse modules and anomaly modules are organized by a multiple-level hybrid tree. According to the actual performance, misuse module or anomaly module is selected to be the detector. A series of experiment results on well-known KDD Cup 1999 data sets indicate that the hybrid model has good performance in both detection and real time. © 2013 by Binary Information Press.

Chun Yang,Feiqi Deng,Haidong Yang

DOI: https://doi.org/10.1109/CHINACOM.2007.4469390

2007-01-01

Abstract:Previous Research in network intrusion detection system (NIDS) has typically used misuse detection or supervised anomaly detection techniques. These techniques have difficulty in detecting new types of attacks or causing high false positives in real network environment. Unsupervised anomaly detection can overcome the drawbacks of misuse detection and supervised anomaly detection. In this paper, normal-anomaly patterns are built over the network traffic dataset that uses subtractive clustering, and at the same time the built Hidden Markov Model (HMM) correlates the observation sequences and state transitions to predict the most probable intrusion state sequences. The proposed unsupervised anomaly detection approach is capable of reducing false positives by classifying intrusion sequences into different emergency levels. The experimental results are also reported using the KDDCup'99 dataset and Matlab.

Wei Xiaotao,Huang Houkuan,Tian Shengfeng

2007-01-01

Abstract:A semi-supervised clustering algorithm based on the traditional k-means algorithm is proposed for network anomaly detection. We improve the original algorithm mainly in three aspects. First, the number of clusters is automatically decided by merging and splitting of clusters. Second, a small portion of labeled samples are employed to supervise the clustering process in the merging and splitting stage. Also, we modify the algorithm to directly process the symbolic attribute values. Experimental result on the KDD 99 intrusion detection datasets shows that our algorithm has high detection rate while maintaining a low false positive rate.

Liang Hu, Nurbol,Xiaobo Liu,Kuo Zhao

2010-01-01

Journal of Information and Computational Science

Abstract:This paper proposed a new algorithm based on time stamped hierarchical clustering for intrusion detection. It incrementally clusters incoming data objects of normal behavior, and produces a precise model. Using each clusters time stamp, the algorithm can dynamically remove some expired clusters from the model, and also can produces some new cluster, that makes our clustering method more suitable for real network environment. Experiments with KDDCUP 1999 data set show our algorithm is less sensitive to noise data objects than ADWICE, and has low computer resource consumptions. Copyright © 2010 Binary Information Press.

Gerard Shu Fuhnwi,Janet O. Agbaje,Kayode Oshinubi,Olumuyiwa James Peter

DOI: https://doi.org/10.46481/jnsps.2023.1364

2023-04-19

Journal of the Nigerian Society of Physical Sciences

Abstract:In data mining, and statistics, anomaly detection is the process of finding data patterns (outcomes, values, or observations) that deviate from the rest of the other observations or outcomes. Anomaly detection is heavily used in solving real-world problems in many application domains, like medicine, finance , cybersecurity, banking, networking, transportation, and military surveillance for enemy activities, but not limited to only these fields. In this paper, we present an empirical study on unsupervised anomaly detection techniques such as Density-Based Spatial Clustering of Applications with Noise (DBSCAN), (DBSCAN++) (with uniform initialization, k-center initialization, uniform with approximate neighbor initialization, and $k$-center with approximate neighbor initialization), and $k$-means$--$ algorithms on six benchmark imbalanced data sets. Findings from our in-depth empirical study show that k-means-- is more robust than DBSCAN, and DBSCAN++, in terms of the different evaluation measures (F1-score, False alarm rate, Adjusted rand index, and Jaccard coefficient), and running time. We also observe that DBSCAN performs very well on data sets with fewer number of data points. Moreover, the results indicate that the choice of clustering algorithm can significantly impact the performance of anomaly detection and that the performance of different algorithms varies depending on the characteristics of the data. Overall, this study provides insights into the strengths and limitations of different clustering algorithms for anomaly detection and can help guide the selection of appropriate algorithms for specific applications.

Zhiwei Yang,Peng Wu,Jing Liu,Xiaotao Liu

DOI: https://doi.org/10.48550/arXiv.2207.10948

2022-07-22

Abstract:Existing methods for anomaly detection based on memory-augmented autoencoder (AE) have the following drawbacks: (1) Establishing a memory bank requires additional memory space. (2) The fixed number of prototypes from subjective assumptions ignores the data feature differences and diversity. To overcome these drawbacks, we introduce DLAN-AC, a Dynamic Local Aggregation Network with Adaptive Clusterer, for anomaly detection. First, The proposed DLAN can automatically learn and aggregate high-level features from the AE to obtain more representative prototypes, while freeing up extra memory space. Second, The proposed AC can adaptively cluster video data to derive initial prototypes with prior information. In addition, we also propose a dynamic redundant clustering strategy (DRCS) to enable DLAN for automatically eliminating feature clusters that do not contribute to the construction of prototypes. Extensive experiments on benchmarks demonstrate that DLAN-AC outperforms most existing methods, validating the effectiveness of our method. Our code is publicly available at <a class="link-external link-https" href="https://github.com/Beyond-Zw/DLAN-AC" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Guowei Wu,Lin Yao,Kai Yao

DOI: https://doi.org/10.1109/ICIA.2006.305969

2007-01-01

Abstract:In this paper, we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing. Because of the non-stationary characteristic of network traffic, we extend and develop an adaptive wavecluster algorithm for intrusion detection. Using the multiresolution property of wavelet transforms, we can effectively identify arbitrarily shaped clusters at different scales and degrees of detail, moreover, applying wavelet transform removes the noise from the original feature space and make more accurate cluster found. Experimental results on KDD-99 intrusion detection dataset show the efficiency and accuracy of this algorithm. A detection rate above 96% and a false alarm rate below 3% are achieved. The time complexity of the adaptive wavecluster algorithm is O(N) ,which is comparatively low than other algorithm

Wen-Bo Xie,Bin Chen,Xun Fu,Jun-Hao Shi,Yan-Li Lee,Xin Wang

DOI: https://doi.org/10.1016/j.ins.2024.120811

IF: 8.1

2024-01-01

Information Sciences

Abstract:Hierarchical clustering plays a crucial role in real-world knowledge discovery and data mining applications. This powerful technique provides tree-shaped results that are typically considered data summaries. However, achieving well-organized outputs requires a challenging trade-off between computational complexity (both in time and space) and clustering accuracy, especially in big data scenarios. To address this challenge, we propose a novel agglomerative algorithm for hierarchical clustering. Our algorithm constructs tree-shaped subclusters using a nearest-neighbour chain search. Next, the proxy (root) for each subcluster is identified using a local density peak detection mechanism, which guides the subsequent aggregation. Additionally, we propose a non-parametric variant to facilitate the easy implementation of the algorithm in real-world applications. Comprehensive experimental studies on fourteen real-world and synthetic datasets demonstrate that our algorithm surpasses other benchmarks in terms of clustering accuracy, response time, and memory footprint in most cases. Notably, our proposed algorithm can handle up to two million data points on a personal computer, further verifying its cost-effectiveness.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Yuan Yuan,Yuangang Li

DOI: https://doi.org/10.1155/2022/5985426

IF: 1.43

2022-10-02

Mathematical Problems in Engineering

Abstract:Data anomaly detection plays a vital role in protecting network security and developing network technology. Aiming at the detection problems of large data volume, complex information, and difficult identification, this paper constructs a modified hybrid anomaly detection (MHAD) method based on the K-means clustering algorithm, particle swarm optimization, and genetic algorithm. First, by designing coding rules and fitness functions, the multiattribute data is effectively clustered, and the inheritance of good attributes is guaranteed. Second, by applying selection, crossover, and mutation operators to particle position and velocity updates, local optima problems are avoided and population diversity is ensured. Finally, the Fisher score expression for data attribute extraction is constructed, which reduces the required sample size and improves the detection efficiency. The experimental results show that the MHAD method has better performance than the K-means clustering algorithm, the support vector machine, decision trees, and other methods in the four indicators of recall, precision, prediction accuracy, and F-measure. The main advantages of the proposed method are that it achieves a balance between global and local search and ensures a high detection rate and a low false positive rate.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Chunming Lin,Bowen Du,Leilei Sun,Linchao Li

DOI: https://doi.org/10.1109/tkde.2024.3360640

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Anomaly detection in multivariate time series is a critical research area, but it is also a challenging one due to its occurrence in various real-world scenarios, such as structural health monitoring and risk management. Traditional approaches for anomaly detection rely on deviating distribution and a static threshold that is set manually. However, static thresholds fail to detect contextual anomalies, leading to a high ratio of false anomalies. Therefore, a self-adaptive thresholding method is required to improve the accuracy of anomaly detection. In this study, we propose HCR-AdaAD, a multivariate anomaly detection framework that combines hierarchical context representation learning with deep learning methods. The core idea is to extract normal time-series patterns by transforming them into images, which can be used to extract spatial features and generate robust representations for normal time series. Next, we adopt Extreme Value Theory (EVT) to set self-adaptive thresholds in streaming time series, which can contribute to the ideal precision for anomaly detection and high interpretability with contextual information. We conducted evaluation experiments on three public datasets, and the results demonstrate the effectiveness and soundness of our proposed model. HCR-AdaAD offers a novel and effective approach to anomaly detection in multivariate time series that outperforms traditional methods, making it a promising solution for real-world applications in various domains.

computer science, information systems, artificial intelligence,engineering, electrical & electronic