A comparative study of unsupervised anomaly detection techniques using honeypot data

Abstract

Intrusion Detection Systems (IDS) have heen received considerable attention among the network security researchers as one of the most promising countcrmcasurcs to defend our crucial computer systems or networks against attackers on the Internet. Over the past few years, manv machine learning techniques have been applied lu IDSs so as to improve their pcrfoimancc and to construct them with low cost and effort. Especially, unsupervised anomaly detection techniques have a significant advantage in their capability to identify unforeseen attacks, i.e., 0-day attacks, arid to build intrusion detection models without any labeled (i.e., pre-classified) training data in an automated, manner In this paper, we con-duel a set of experiments to evaluate and analyze performance of the major unsupervised anomaly detection techniques using real traffic data which are obtained at our honeypots deployed inside and outside of the campus network of Kyoto University, and using various evaluation criteria, i.e., performance evaluation by similarity measurements and the size of training data, overall performance, detection ability tor unknown attacks, and time complexity. Our experimental results give some practical and useful guidelines to IDS researchers and operators, so that they can acquire insight to apply these techniques to the area ot inlrusion delection, and devise more effective intrusion detection models. Copyright © 2010.The Institute of Electronics, Information and Communication Engineers.