Threshold-based clustering for intrusion detection systems

Vladimir Nikulin

doi:10.1117/12.665326

Threshold-based clustering for intrusion detection systems

Vladimir Nikulin^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Citations (Scopus)

Abstract

Signature-based intrusion detection systems look for known, suspicious patterns in the input data, In this paper we explore compression of labeled empirical data using threshold-based clustering with regularization. The main target of clustering is to compress training dataset to the limited number of signatures, and to minimize the number of comparisons that are necessary to determine the status of the input event as a result. Essentially, the process of clustering includes merging of the clusters which are close enough. As a consequence, we will reduce original dataset to the limited number of labeled centroids. In a complex with k-nearest-neighbor (kNN) method, this set of centroids may be used as a multiclass classifier. Clearly, different attributes have different importance depending on the particular training database. This importance may be regulated in the definition of the distance using linear weight coefficients. The paper introduces special procedure to estimate above weight coefficients. The experiments on the KDD-99 intrusion detection dataset have confirmed effectiveness of the proposed methods.

Original language	English
Title of host publication	Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006
DOIs	https://doi.org/10.1117/12.665326
Publication status	Published - 2006
Event	Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006 - Kissimmee, FL, United States Duration: 17 Apr 2006 → 18 Apr 2006

Publication series

Name	Proceedings of SPIE - The International Society for Optical Engineering
Volume	6241
ISSN (Print)	0277-786X

Conference

Conference	Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006
Country/Territory	United States
City	Kissimmee, FL
Period	17/04/06 → 18/04/06

Access to Document

10.1117/12.665326

Cite this

@inproceedings{196cfc6700f74b3383b0a1dbd4fb8aff,

title = "Threshold-based clustering for intrusion detection systems",

abstract = "Signature-based intrusion detection systems look for known, suspicious patterns in the input data, In this paper we explore compression of labeled empirical data using threshold-based clustering with regularization. The main target of clustering is to compress training dataset to the limited number of signatures, and to minimize the number of comparisons that are necessary to determine the status of the input event as a result. Essentially, the process of clustering includes merging of the clusters which are close enough. As a consequence, we will reduce original dataset to the limited number of labeled centroids. In a complex with k-nearest-neighbor (kNN) method, this set of centroids may be used as a multiclass classifier. Clearly, different attributes have different importance depending on the particular training database. This importance may be regulated in the definition of the distance using linear weight coefficients. The paper introduces special procedure to estimate above weight coefficients. The experiments on the KDD-99 intrusion detection dataset have confirmed effectiveness of the proposed methods.",

keywords = "Distance-based clustering, Intrusion detection, k-nearest-neighbor method",

author = "Vladimir Nikulin",

year = "2006",

doi = "10.1117/12.665326",

language = "English",

isbn = "0819462977",

series = "Proceedings of SPIE - The International Society for Optical Engineering",

booktitle = "Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006",

note = "Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006 ; Conference date: 17-04-2006 Through 18-04-2006",

}

Nikulin, V 2006, Threshold-based clustering for intrusion detection systems. in Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006., 62410E, Proceedings of SPIE - The International Society for Optical Engineering, vol. 6241, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006, Kissimmee, FL, United States, 17/04/06. https://doi.org/10.1117/12.665326

Threshold-based clustering for intrusion detection systems. / Nikulin, Vladimir.
Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006. 2006. 62410E (Proceedings of SPIE - The International Society for Optical Engineering; Vol. 6241).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Threshold-based clustering for intrusion detection systems

AU - Nikulin, Vladimir

PY - 2006

Y1 - 2006

N2 - Signature-based intrusion detection systems look for known, suspicious patterns in the input data, In this paper we explore compression of labeled empirical data using threshold-based clustering with regularization. The main target of clustering is to compress training dataset to the limited number of signatures, and to minimize the number of comparisons that are necessary to determine the status of the input event as a result. Essentially, the process of clustering includes merging of the clusters which are close enough. As a consequence, we will reduce original dataset to the limited number of labeled centroids. In a complex with k-nearest-neighbor (kNN) method, this set of centroids may be used as a multiclass classifier. Clearly, different attributes have different importance depending on the particular training database. This importance may be regulated in the definition of the distance using linear weight coefficients. The paper introduces special procedure to estimate above weight coefficients. The experiments on the KDD-99 intrusion detection dataset have confirmed effectiveness of the proposed methods.

AB - Signature-based intrusion detection systems look for known, suspicious patterns in the input data, In this paper we explore compression of labeled empirical data using threshold-based clustering with regularization. The main target of clustering is to compress training dataset to the limited number of signatures, and to minimize the number of comparisons that are necessary to determine the status of the input event as a result. Essentially, the process of clustering includes merging of the clusters which are close enough. As a consequence, we will reduce original dataset to the limited number of labeled centroids. In a complex with k-nearest-neighbor (kNN) method, this set of centroids may be used as a multiclass classifier. Clearly, different attributes have different importance depending on the particular training database. This importance may be regulated in the definition of the distance using linear weight coefficients. The paper introduces special procedure to estimate above weight coefficients. The experiments on the KDD-99 intrusion detection dataset have confirmed effectiveness of the proposed methods.

KW - Distance-based clustering

KW - Intrusion detection

KW - k-nearest-neighbor method

UR - http://www.scopus.com/inward/record.url?scp=33747366161&partnerID=8YFLogxK

U2 - 10.1117/12.665326

DO - 10.1117/12.665326

M3 - Conference contribution

AN - SCOPUS:33747366161

SN - 0819462977

SN - 9780819462978

T3 - Proceedings of SPIE - The International Society for Optical Engineering

BT - Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006

T2 - Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2006

Y2 - 17 April 2006 through 18 April 2006

ER -

Threshold-based clustering for intrusion detection systems

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this