Abstract
Anomaly detection is a method for determining behaviors which do not accord with normal ones. It is mostly used for detecting abnormal behaviors, mutational and unknown attacks. In this paper, we propose a technique that generates patterns about network-based normal behaviors in blocks of a TCP network session for the anomaly detection. One session is expressed as one pattern based on a stream of the packets in the session, and thus the pattern we generate has a sequential feature. We use the ROCK algorithm to cluster the sequence patterns which have categorical attributes. This algorithm performs clustering based on our similarity function which uses Dynamic Programming. The many sequence patterns of the normal behaviors can be reduced to several representative sequence patterns using the clustering. Our detecting sensor uses profiling dataset that are constructed by the representative sequence patterns of normal behaviors. We show the effectiveness of proposed model by using results from the 1999 DARPA Intrusion Detection Evaluation. © Springer-Verlag Berlin Heidelberg 2006.
Cite
CITATION STYLE
Noh, S. K., Kim, Y. M., Kim, D. K., & Noh, B. N. (2006). Network anomaly detection based on clustering of sequence patterns. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 3981 LNCS, pp. 349–358). Springer Verlag. https://doi.org/10.1007/11751588_37
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
