Adaptive real-time anomaly detection with incremental clustering

Information Security Technical Report

Volumn 12, Issue 1, 2007, Pages 56-67

  Burbeck, Kalle ^a   Nadjm Tehrani, Simin ^a  

^a LINKÖPING UNIVERSITY   (Sweden)

Author keywords

[No Author keywords available]

Indexed keywords

ADAPTIVE CONTROL SYSTEMS; ALGORITHMS; DATA STRUCTURES; INTERNET PROTOCOLS; TELECOMMUNICATION SYSTEMS;

ANOMALY DETECTION; INCREMENTAL CLUSTERING; INDEXING MECHANISMS; INFORMATION (IP) NETWORKS;

INTRUSION DETECTION;

EID: 34249731961     PISSN: 13634127     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.istr.2007.02.004     Document Type: Article

References (25)

1. Bigham J., Gamez D., and Lu N. Safeguarding SCADA systems with anomaly detection. Proceedings of mathematical methods, models and architectures for computer network security. Lecture notes in computer science vol. 2776 (2003), Springer Verlag 171-182
2. Bishop M. How to sanitize data. In: Proceedings of international workshops on enabling technologies: infrastructures for collaborative enterprises (WETICE04), IEEE Computer Society; June 2004.
3. Burbeck K. Adaptive real-time anomaly detection for safeguarding critical networks (February 2006), Linköping University. 91-85497-23-1. http://www.diva-portal.org/liu/abstract.xsql?dbid=5973 [Licentiate thesis, number 1231]. Available at: .
4. Burbeck K., and Nadjm-Tehrani S. ADWICE - anomaly detection with fast incremental clustering. Proceedings of the seventh international conference on security and cryptology (ICICS'04) (December 2004), Springer Verlag
5. Chyssler T, Nadjm-Tehrani S, Burschka S, Burbeck K. Alarm reduction and correlation in defence of IP networks. In: Proceedings of the international workshops on enabling technologies: infrastructures for collaborative enterprises (WETICE04), IEEE Computer Society; June 2004.
6. Elkan C. Results of the KDD'99 classifier learning. ACM SIGKDD Explorations 1 2 (January 2000) 63-64
7. F-secure. Available at: [accessed August 2005].
8. Gamez D., Nadjm-Tehrani S., Bigham J., Balducelli C., Chyssler T., and Burbeck K. Safeguarding critical infrastructures. In: Diab H.B., and Zomaya A.Z. (Eds). Dependable computer systems: paradigms, performance issues and applications (2005), John Wiley and Sons [chapter 18]
9. Guan Y, Ghorbani AA, Belacel N. Y-means: a clustering method for intrusion detection. In: Proceedings of the IEEE Canadian conference on electrical and computer engineering; May 2003.
10. Haines J., Kewley Ryder D., Tinnel L., and Taylor S. Validation of sensor alert correlators. IEEE Security & Privacy 1 1 (January 2003) 46-56
11. Han J., and Kamber M. Data mining - concepts and techniques (2001), Morgan Kaufmann Publishers Inc.
12. Hettich S., and Bay S.D. The UCI KDD archive (1999). [accessed 10th July 2006]
13. Julisch K. Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security (TISSEC) 6 4 (November 2003) 443-471
14. Lippmann R., Webster S.E., and Stetson D. The effect of identifying vulnerabilities and patching software on the utility of network intrusion detection. Proceedings of recent advances in intrusion detection (RAID'02). Lecture notes in computer science vol. 2516 (2002), Springer Verlag 307-326
15. Mahoney M.V., and Chan P.K. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. Proceedings of the recent advances in intrusion detection (RAID'03). Lecture notes in computer science vol. 2822 (September 2003), Springer Verlag 220-237
16. McHugh J. Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3 4 (2000) 262-294
17. Morin B., and Hervé H. Correlation of intrusion symptoms: an application of chronicles. Proceedings of the recent advances in intrusion detection (RAID'03). Lecture notes in computer science vol. 2822 (September 2003), Springer Verlag 220-237
18. Mukkamala S, Janoski G, Sung A. Intrusion detection using neural networks and support vector machines. In: Proceedings of international joint conference on neural networks (IJCNN '02); May 2002. p. 1702-7.
19. Munson JC, Wimer S. Watcher: the missing piece of the security puzzle. In: Proceedings of the 17th annual computer security applications conference; December 2001. p. 230-9. Available at: .
20. Portnoy L, Eskin E, Stolfo S. Intrusion detection with unlabeled data using clustering. In: ACM workshop on data mining applied to security; November 2001.
21. Sekar R, Gupta A, Frullo J, Shanbhag T, Tiwari A, Yang H, et al. Specification based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the ACM conference on computer and communications security; 25-29 October 2002. p. 265-74.
22. Sequeira K, Zaki M. ADMIT: anomaly-based data mining for intrusions. In: Proceedings of the eighth ACM SIGKDD international conference on knowledge discovery and data mining; 23-26 July 2002. p. 386-95.
23. Venter H.S., and Eloff J.H.P. A taxonomy for information security technologies. Computers and Security 22 4 (2003) 299-307
24. Yegneswaran V, Barford P, Ullrich J. Internet intrusions: global characteristics and prevalence. In: Proceedings of the 2003 ACM SIGMETRICS international conference on measurement and modeling of computer systems, 9-14 June 2003; p. 138-47.
25. Zhang T., Ramakrishnan R., and Livny M. BIRCH: an efficient data clustering method for very large databases. SIGMOD record 1996 ACM SIGMOD international conference on management of data vol. 25(2) (4-6 June 1996) 103-114