Survey on incremental approaches for network anomaly detection

International Journal of Communication Networks and Information Security

Volumn 3, Issue 3, 2011, Pages 226-239

  Bhuyan, Monowar Hussain ^a   Bhattacharyya, D K ^a   Kalita, J K ^b  

^a TEZPUR UNIVERSITY   (India)

^b University of Colorado at Colorado Springs   (United States)

Author keywords

Anomaly detection; Attack; Clustering; Incremental

Indexed keywords

EID: 84859514765     PISSN: 20760930     EISSN: 2073607X     Source Type: Journal    
DOI: None     Document Type: Article

References (56)

1. V. Yegneswaran, P. Barford, and Ullrich, "Internet intrusions: global characteristics and prevalence," in Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems. San Diego, CA, USA: ACM Press, pp. 138-147, 2003.
2. J. McHugh, "Intrusion and intrusion detection," International Journal of Information Security, vol. 1, no. 1, pp. 14-35, 2001.
3. A. Patcha and J. M. Park, "An overview of anomaly detection techniques: Existing solutions and latest technological trends," Computer Networks (Elsevier Science), vol. 51, no. 12, pp. 3448-3470, August 22, 2007. [Online].Available: http://10.1016/j.comnet.2007.02.001
4. S. Kumar and E. H. Spafford, "An application of pattern matching in intrusion detection," The COAST Project, Department of Computer Sciences, Purdue University, West Lafayette, IN, USA, Tech. Rep. CSD-TR-94-013, June 17, 1994.
5. V. Chandola, A. Banerjee, and V. Kumar, "Anomaly detection: A survey," ACM Computing Surveys, vol. 41, no. 3, pp. 1-58, July 2009. [Online]. Available: http://doi.acm.org/10.1145/1541880.1541882
6. G. Giacinto and F. Roli, "Intrusion detection in computer networks by multiple classifier systems," in Proceedings of Int'nl Conference on Pattern Recognition. Los Alamitos, CA, USA: IEEE CS, pp. 390-293, 2002.
7. L. Delooze and J. Kalita, "applying soft computing techniques to intrusion detection," in Proceedings of Cyber Security and Information Infrastructure Research Workshop, Oak Ridge National Laboratory, Oak Ridge, TN, pp. 70-99, 2006.
8. M. V. Joshi, I. T. J. Watson, and R. C. Agarwal, "Mining needles in a haystack: Classifying rare classes via two-phase rule induction," SIGMOD Record (ACM Special Interest Group on Management of Data), Vol. 30, No. 2, pp. 91-102, 2001.
9. J. Theiler and D. M. Cai, "Resampling approach for anomaly detection in multispectral images," in Proc. SPIE, pp. 230-240, 2003.
10. V. Jacobson, C. Leres, and S. McCanne, "tcpdump." [Online]. Available: ftp://ftp.ee.lbl.gov/tcpdump.tar.gz
11. A. Dainotti and A. Pescape, "Plab: a packet capture and analysis architecture," 2004. [Online]. Available: http://wpage.unina.it/alberto/papers/TR-DIS-122004.pdf
12. S. McCanne and V. Jacobson, "The bsd packet filter: A new architecture for user level packet capture," in Proceedings of the Winter 1993 USENIX Conference, USENIX Association, January, pp. 259-269, 1993.
13. H. G. Kayacik, A. N. Zincir-Heywood, and M. I. Heywood, "Selecting features for intrusion detection: A feature relevance analysis on kdd 99 intrusion detection datasets," in Proceedings of the Third Annual Conference on Privacy, Security and Trust, October, pp. 1-6, 2005.
14. "Kdd cup 1999 data," October 1999. [Online]. Available:http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
15. W. Lee and S. J. Stolfo, "Data mining approaches for intrusion detection," in Proceedings of the 1998 USENIX Security Symposium, pp. 1-15, 1998, USENIX Association.
16. L. Ertz, E. Eilertson, A. Lazarevic, P.-N. Tan, V. Kumar, and J. Srivastava, The MINDS- Minnesota Intrusion Detection System, ch. 3, pp.1-21, 2004.
17. C. Spence, L. Parra, and P. Sajda, "Detection, synthesis and compression in mammographic image analysis with a hierarchical image probability model," in Proceedings of the IEEE Workshop on Mathematical Methods in Biomedical Image Analysis. Washington, DC, USA: IEEE Computer Society, 2001, p. 3-10.
18. E. Aleskerov, B. Freisleben, and B. Rao, "Cardwatch: a neural network based database mining system for credit card fraud detection," in Proceedings of the IEEE IAFE 1997 Computational Intelligence for Financial Engineering. IEEE, 1997, pp. 220-226. [Online]. Available: http://10.1109/CIFER.1997.618940
19. th ACM SIGKDD international conference on Knowledge discovery in data mining. New York, NY, USA: ACM, 2005, pp. 401-410. [Online]. Available: http://doi.acm.org/10.1145/1081870.1081917
20. F. Y. Edgeworth, "On discordant observations," Philosophical Magazine, vol. 23, no. 5, pp. 364-375, 1887.
21. X. Song, M. Wu, C. Jermaine, and S. Ranka, "Conditional anomaly detection," IEEE Trans. on Knowl. and Data Eng., vol. 19, no. 5, pp. 631-645, 2007. [Online]. Available: http://dx.doi.org/10.1109/TKDE.2007.1009
22. A. Prayote, "Knowledge based anomaly detection," Ph.D. dissertation, The University of New South Wales, November 2007.
23. R. Storlkken, "Labelling clusters in an anomaly based ids by means of clustering quality indexes," Master's thesis, Faculty of Computer Science and Media Technology Gjvik University College, Gjvik, Norway, 2007.
24. J. C. Dunn, "Well separated clusters and optimal fuzzy partitions," Journal of Cybernetics, vol. 4, no. 1, pp. 95-104., 1974. [Online]. Available: http://10.1080/01969727408546059
25. L. Hubert and J. Schultz, "Quadratic assignment as a general data-analysis strategy," British Journal of Mathematical and Statistical Psychology, vol. 29, pp. 190-241, 1976.
26. S. H. Cha, "Comprehensive survey on distance/similarity measures between probability density functions," International Journal of Mathematical Models and Methods in Applied Science, vol. 1, no. 4, pp. 300-307, November, 2007.
27. P. N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining, Fourth Edition, Dorling Kindersley (India) Pvt. Ltd., 2009.
28. W. Y. Yu and H.-M. Lee, "An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods," in Proceedings of the Pacific Asia Workshop on Intelligence and Security Informatics. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 155-160. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-01393-5 17
29. P. Laskov, C. Gehl, S. Krüger, and K.-R. Müller, "Incremental support vector learning: Analysis, implementation and applications," Journal of Machine Learning Research, vol. 7, pp. 1909-1936, 2006.
30. F. Ren, L. Hu, H. Liang, X. Liu, and W. Ren, "Using density-based incremental clustering for anomaly detection," in Proceedings of the 2008 International Conference on Computer Science and Software Engineering. Washington, DC, USA: IEEE Computer Society, 2008, pp. 986-989. [Online]. Available: http://dx.doi.org/10.1109/CSSE.2008.811
31. th International Conference on Information Security and Cryptology, Seoul, Korea. Springer Verlag, pp. 4007-424, 2004.
32. T. Zhang, R. Ramakrishnan, and M. Livny, "BIRCH: an efficient data clustering method for very large databases," SIGMOD Rec., vol. 25, no. 2, pp. 103-114, 1996. [Online]. Available: http://doi.acm.org/10.1145/235968.233324
33. A. Rasoulifard, A. G. Bafghi, and M. Kahani, Incremental Hybrid Intrusion Detection Using Ensemble of Weak Classifiers, in Communications in Computer and Information Science. Springer Berlin Heidelberg, November 23 2008, vol. 6, pp. 577-584. [Online]. Available: http://10.1007/978-3-540-89985-3
34. K. Burbeck and S. Nadjm-Tehrani, "Adaptive real-time anomaly detection with incremental clustering," Inf. Secur. Tech. Rep., vol. 12, no. 1, pp. 56-67, 2007. [Online]. Available: http://dx.doi.org/10.1016/j.istr.2007.02.004
35. C. Zhong and N. Li, "Incremental clustering algorithm for intrusion detection using clonal selection," in Proceedings of the 2008 IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application. Washington, DC, USA: IEEE Computer Society, 2008, pp. 326-331. [Online]. Available: http://dx.doi.org/10.1109/PACIIA.2008.256
36. C. C. Hsu and Y.-P. Huang, "Incremental clustering of mixed data based on distance hierarchy," Expert Syst. Appl., vol. 35, no. 3, pp. 1177-1185, 2008. [Online]. Available: http://dx.doi.org/10.1016/j.eswa.2007.08.049
37. J. Li, X. Gao, and L. Jiao, "A novel clustering method with network structure based on clonal algorithm," in Proceedings of International Conference on Acoustics, Speech, and Signal Processing. Piscataway, NJ: IEEE Press, 2004, pp. 793-796.
38. E. B. Lennon, "Testing intrusion detection systems.", iTL Bulletin, IT Laboratory, NIST, pp. 1-4, July, 2003.
39. R. P. Lippmann, D. J. Fried, I. Graf, J. W. Haines, K. R. Kendall, D. McClung, D. Weber, S. E. Webster, D. Wyschogrod, R. K. Cunningham, and M. A. Zissman, "Evaluating intrusion detection systems: The 1998 darpa off-line intrusion detection evaluation," DARPA Information Survivability Conference and Exposition, vol. 2, p. 1012, 2000.
40. C. Elkin, "Results of the kdd99 classifier learning contest," September 1999. [Online]. Available: http://www.cs.ucsd.edu/users/elkan/clresults.html
41. K. Kendall, "A database of computer attacks for the evaluation of intrusion detection systems," Master's thesis, MIT, 1999.
42. L. Delooze, "Applying soft-computing techniques to intrusion detection," Ph.D. dissertation, Computer Science Department, University of Colorado, Colorado Springs, 2005.
43. S. Mukkamala, A. H. Sung, and A. Abraham, "Intrusion detection using an ensemble of intelligent paradigms," Journal of Network and Computer Applications, vol. 28, pp. 167-182, April 2005.
44. R. Pang, M. Allman, V. Paxson, and J. Lee, "The devil and packet trace anonymization," SIGCOMM Comput. Commun. Rev., vol. 36, no. 1, pp. 29-38, 2006. [Online]. Available: http://doi.acm.org/10.1145/1111322.1111330
45. th international symposium on Recent Advances in Intrusion Detection, Springer-Verlag, Berlin, Heidelberg, 2008, pp. 351-371. [Online]. Available: http://dx.doi.org/10.1007/978354087403419
46. W. W. Streilein, R. K. Cunningham, and S. E. Webster, "Improved detection of low-probable probe and denial-of-service attacks," in Proceedings of First IEEE International Workshop on Information Assurance, Darmstadt, Germany, 2003, pp. 63-72.
47. thUSENIX conference on System Administration. Berklay, CA, USA: USENIX Association, 2000, pp. 291-304.
48. S. F. Bacon, 1597. [Online]. Available: http://www.quotationspage.com/quote/2060.html
49. S. Axelsson, "The base-rate fallacy and the difficulty of intrusion detection," ACM Transactions on Information and System Security, vol. 3, no. 3, pp. 186-205, 2000.
50. th ACM Conference on Computer and Communications Security, Athens, Greece, November 2000.
51. J. McHugh, "Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as performed by lincoln laboratory," ACM Transactions on Information and System Security, vol. 3, no. 4, pp. 262-294, 2000.
52. W. Khreich, E. Granger, A. Miri, and R. Sabourin. "Adaptive ensembles of HMMs applied to anomaly detection," Pattern Recognition (Elsevier Science), July 19, 2011, doi:10.1016/j.patcog.2011.06.014
53. N. Lu, D. Khoa and S. Chawla. "Online Anomaly Detection Systems Using Incremental Commute Time," CoRR, Vol. abs/1107.3894, 2011.
54. M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "Surveying port scans and their detection methodologies," The Computer Journal, 2011.
55. M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, "NADO: Network anomaly detection using outlier approach," in ICCCS'11. ACM, February 2011, pp. 531-536.
56. Y. Yi, J. Wu and W. Xu. "Incremental SVM based on reserved set for network intrusion detection" Journal of Expert Systems with Applications, Vol. 38, No. 6, pp. 7698-7707, June, 2011. USA