Network anomaly detection with incomplete audit data

Computer Networks

Volumn 51, Issue 13, 2007, Pages 3935-3955

  Patcha, Animesh ^a   Park, Jung Min ^a  

^a Virginia Polytechnic Institute and State University   (United States)

Author keywords

Expectation maximization algorithm; Network anomaly detection; Sampling

Indexed keywords

BLOOM FILTERS; EXPECTATION-MAXIMIZATION; GIGABIT NETWORKS; STOCHASTIC CLUSTERING ALGORITHM FOR NETWORK ANOMALY DETECTION;

CLUSTERING ALGORITHMS; COMPUTER CRIME; INTRUSION DETECTION; PACKET NETWORKS; TELECOMMUNICATION TRAFFIC;

COMPUTER NETWORKS;

EID: 34447280122     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2007.04.017     Document Type: Article

References (38)

1. B. Yocom, R. Birdsall, D. Poletti-Metzel, Gigabit intrusion detection systems, http://www.nwfusion.com/reviews/2002/1104rev.html, 2002.
2. Cormode G., and Muthukrishnan S. Whats new: finding significant differences in network data streams. IEEE INFOCOMM 2004: Twenty-third Annual Joint Conference of the IEEE Computer and Communications Societies vol. 3 (2004), IEEE Press 1534-1545
3. R. Sekar, Y. Guang, S. Verma, T. Shanbhag, A high-performance network intrusion detection system, in: ACM Conference on Computer and Communications Security, 1999, pp. 8-17.
4. E. Eskin, Anomaly detection over noisy data using learned probability distributions, in: 17th International Conference on Machine Learning, 2000, pp. 255-262.
5. E. Eskin, A. Arnold, M. Prerau, L. Portnoy, S. Stolfo, A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data, in: D. Barbara, S. Jajodia, (Eds.), Applications of Data Mining in Computer Security, 2002.
6. A.P. Dempster, N.M. Laird, D.B. Rubin, Maximum likelihood from incomplete data via the em algorithm, in: Journal of the Royal Statistical Society, vol. 39 of B, 1977, pp. 1-38.
7. D. Anderson, T.F. Lunt, H. Javitz, A. Tamaru, A. Valdes, Detecting unusual program behavior using the statistical component of the next-generation intrusion detection expert system (nides), Technical Report SRI-CSL-95-06, Computer Science Laboratory, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025-3493, May 1994.
8. M. Mahoney, P.K. Chan, Phad: Packet header anomaly detection for identifying hostile network traffic, Technical Report CS-2001-2, Computer Science Department, Florida Institute of Technology, 150W. University Blvd. Melbourne, FL 32901, 2001.
9. M. Mahoney, P.K. Chan, Learning models of network traffic for detecting novel attacks, Technical Report CS-2002-8, Department of Computer Science, Florida Institute of Technology, 150W. University Blvd. Melbourne, FL 32901, 2002.
10. M. Mahoney, P.K. Chan, Learning nonstationary models of normal network traffic for detecting novel attacks, in: SIGKDD, July 2002.
11. Guha S., Rastogi R., and Shim K. Rock: A robust clustering algorithm for categorical attributes. 15th International Conference on Data Engineering, (Stanford University, CA, USA) (1999), IEEE Computer Society 512-521 March
12. Knorr E.M., and Ng R.T. Algorithms for mining distance-based outliers in large datasets. VLDB'98: Proceedings of the 24rd International Conference on Very Large Data Bases (San Francisco, CA, USA) (1998), Morgan Kaufmann Publishers Inc 392-403
13. S. Ramaswamy, R. Rastogi, K. Shim, Efficient algorithms for mining outliers from large data sets, in: 2000 ACM SIGMOD International Conference on Management of Sata, 2000, pp. 427-438.
14. W. Lee, S. Stolfo, Data mining approaches for intrusion detection, in: 7th USENIX Security Symposium, (San Antonio, TX), 1998.
15. W. Lee, S.J. Stolfo, P.K. Chan, E. Eskin, W. Fan, M. Miller, S. Hershkop, J. Zhang, Real time data mining-based intrusion detection, in: Second DARPA Information Survivability Conference and Exposition, 2001, pp. 85-100.
16. Lee W., and Xiang D. Information-theoretic measures for anomaly detection. IEEE Symposium on Security and Privacy, (Washington, DC, USA) (2001), IEEE Computer Society 130-143
17. C. Kruegel, F. Valeur, G. Vigna, R. Kemmerer, Stateful intrusion detection for high-speed networks., in: IEEE Symposium on Research on Security and Privacy, May 2002, pp. 285-294.
18. B. Hutchings, R. Franklin, D. Carver, Assisting network intrusion detection with reconfigurable hardware., in: 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines, April 2002, pp. 111-120.
19. ISS, BlackICE Sentry Gigabit. Internet Security Solutions, 2001.
20. CISCO, CISCO Intrusion Detection System. Cisco Systems, 2001.
21. T. Networks, Toplayer networks, http://www.toplayer.com/, 2005.
22. W.E. Leland, M.S. Taqq, W. Willinger, D.V. Wilson, On the self-similar nature of Ethernet traffic, in: D.P. Sidhu, (Ed.), ACM SIGCOMM, (San Francisco, CA), 1993, pp. 183-193.
23. Paxson V., and Floyd S. Wide area traffic: the failure of Poisson modeling. IEEE/ACM Transactions on Networking 3 3 (1995) 226-244
24. M. Li, W. Jia, W. Zhao, Decision analysis of network based intrusion detection systems for denial-of-service attacks, in: Proceedings of the IEEE Conferences on Info-tech and Info-net, vol. 5, Department of Computer Science, City University of Hong Kong, China, IEEE, October 2001.
25. P. Owezarski, On the impact of DoS attacks on internet traffic characteristics and QoS, in: ICCCN'05: Proceedings of the 14th International Conference on Computer Communications and Networks, LAAS-CNRS, Toulouse, France, IEEE, October 2005, pp. 269-274.
26. H.E. Hurst, Methods of using long-term storage in reservoirs, in: Proceedings of the Institution of Civil Engineers, no. Part 1, 1955, pp. 519-577.
27. Neal R., and Hinton G. A view of the em algorithm that justifies incremental, sparse and other variants. Learning in graphical models (1999) 355-368
28. P. Bradley, U. Fayyad, C. Reina, Scaling em (expectation- maximization) clustering to large databases, Technical Report MSR-TR-98-35, Microsoft Research, 1998.
29. Zhang T., Ramakrishnan R., and Livny M. Birch: an efficient data clustering method for very large databases. SIGMOD'96: Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data (New York, NY, USA) (1996), ACM Press 103-114
30. Ordonez C., and Omiecinski E. Frem: fast and robust em clustering for large data sets. CIKM'02: Proceedings of the Eleventh International Conference on Information and Knowledge Management (New York, NY, USA) (2002), ACM Press 590-599
31. J. MacQueen, Some methods for classification and analysis of multivariate observations, in: Proceedings of the Fifth Berkeley Symposium on Mathematical Statistics and Probability, 1967.
32. B. Bloom, Space/time tradeoffs in hash coding with allowable errors., in: Communications of the ACM, 1970.
33. M.L. Laboratory, Darpa intrusion detection evaluation data set, http://www.ll.mit.edu/.
34. WIDE, The widely integrated distributed environment project, http://tracer.csl.sony.co.jp/mawi/.
35. Fulp E., Fu Z., Reeves D.S., Wu S.F., and Zhang X. Preventing denial of service attacks on quality of service. DISCEX'01: Proceedings of the DARPA Information Survivability Conference and Exposition II vol. 2 (2001), IEEE Press 159-172 June
36. CERT, Cert advisory ca-1996-21 tcp syn flooding and ip spoofing attacks, http://www.cert.org/advisories/CA-1996-21.html, September 1996.
37. L. Portnoy, E. Eskin, S.J. Stolfo, Intrusion detection with unlabeled data using clustering, in: ACM Workshop on Data Mining Applied to Security, 2001.
38. K. Claffy, G. Polyzos, H. Braum, Application of sampling methodologies to network traffic characterization., in: Computer Communication Review, vol. 4, 1993, pp. 194-203.