K-MEANS FOR MODELLING AND DETECTING ANOMALOUS PROFILES

Authors

  • Rachid Beghdad

DOI:

https://doi.org/10.47839/ijc.6.1.425

Keywords:

Intrusion detection systems, Audit trail analysis, K-means, User behavior, Anomaly intrusion detection, Anomalous behavior

Abstract

We introduce an intrusion detection method based on the K-means (KM) clustering method to detect anomalous users’ profiles. The main idea is to define k centroids, one for each cluster, such that each cluster represents a given user profile. These centroids should be placed as much as possible far away from each other. The next step is to take each point belonging to a given data set and associate it to the nearest centroid. When no point is pending, the first step is completed and an early groupage is done. At this point we need to re-calculate k new centroids as barycenters of the clusters resulting from the previous step. After we have these k new centroids, a new binding has to be done between the same data set points and the nearest new centroid. A loop has been generated. As a result of this loop we may notice that the k centroids change their location step by step until no more changes are done. An example and experiments are described to illustrate the robustness of our approach.

References

N. Ye, and X. Li, “A Scalable Clustering Technique for Intrusion Signature Recognition”, from the Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, U.S Military Academy, West Point, NY, 5-6 June, pp. 1-4, 2001.

J. B. MacQueen, ”Some Methods for classification and Analysis of Multivariate Observations”, Proceedings of 5-th Berkeley Symposium on Mathematical Statistics and Probability", Berkeley, University of California Press, 1:281-297, 1967.

J. Marin, D. Ragsdale, and J. Surdu, “A Hybrid Approach to the Profile Creation and Intrusion Detection”, technical report, Information Technology and Operations Center, United States Military Academy, 2000.

A. Bivens, C. Palagiri, R. Smith, B. Szymanski, M. Embrechts, “ Network-based Inrusion Detection Using Neural Networks”, technical report, Rensselaer Polytechnic Institute, Troy, New York 12180-3590, 2002.

R. Beghdad, “Canonical discriminant analysis for modelling and detecting intrusions in computer systems”, submitted for publication.

U. Lindqvist and P. A. Porras, “eXpert-BSM: A Host-based Intrusion Detection Solution for Sun Solaris”, from Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), pp. 240–251, New Orleans, Louisiana, 2001.

S. Cheung, U. Lindqvist and M. W. Fong, “Modeling Multistep Cyber Attacks for Scenario Recognition”, from the Third DARPA Information Survivability Conference and Exposition (DISCEX III), Volume I, pp. 284–292, Washington, D.C.2003.

M.-L. Shyu, S.-C. Chen, K. Sarinnapakorn, and L. Chang. “A novel anomaly detection scheme based on principal component classifier”. In Proceedings of the Third IEEE International Conference on Data Mining (ICDM’03), pp. 172-179, Florida, Nov. 2003.

B. Morin, H. Debar, “Correlation of Intrusion Symptoms : an Application of Chronicles”, In the Proceedings of the 6th Recent Advances in Intrusion Detection 2003 (RAID2003), 2003.

K. Johansen and S. Lee, « CS424 Network Security: Bayesian Network Intrusion Detection (BNIDS), technical report, May 3, 2003.

T. Abbes, A. Bouhoula, M. Rusinowitch, “Protocol Analysis in Intrusion Detection Using Decision Tree”, in the Proceedings of the International Conference on Information Technology Coding and Computing (ITCC’04), 2004.

Peng Ning, Kun Sun, "How to Misuse AODV: A Case Study of Insider Attacks against Mobile Adhoc Routing Protocols,". In Proceedings of the 4th Annual IEEE Information Assurance Workshop, pp. 60-67, West Point, June 2003.

J. T. Giffin, S. Jha, B. P. Miller, ”Efficient Context-Sensitive Intrusion Detection”. In 11th Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, California, February 2004.

Downloads

Published

2014-08-01

How to Cite

Beghdad, R. (2014). K-MEANS FOR MODELLING AND DETECTING ANOMALOUS PROFILES. International Journal of Computing, 6(1), 59-66. https://doi.org/10.47839/ijc.6.1.425

Issue

2007, Volume 6, Issue 1

Section

Articles

License

International Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:
•    Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
•    Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
•    Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.