A new method of data preprocessing and anomaly detection

Author

Zheng, Jun ; Hu, Ming-Zeng ; Zhang, Hong-Li

Author_Institution

Comput. Network & Inf. Security Tech. Res. Center, Harbin Inst. of Technol., China

Volume

5

fYear

2004

fDate

26-29 Aug. 2004

Firstpage

2685

Abstract

Data preprocessing including feature extraction is the first significant step in anomaly detection where normal profiles needed to be constructed. This paper defined a sort of traffic flow to be the anomaly event unit of preprocessing, making the data preprocessing module more efficient and robust. Based on TCP flows, the paper introduces a novel methodology to analysis the feature attributes of network traffic flow with some new techniques, including a novel quantization model of TCP states. Integrating with data preprocessing, we construct an anomaly detection algorithm with SOFM and applied the detection frame to DARPA intrusion detection evaluation data. We train SOFM to exploit the normal profile distributions of network traffic, and then the test data with attack-instances embedded is utilized. It is shown that the network attacks are detected with more efficiency and relatively low false alarms.

Keywords

computer networks; feature extraction; security of data; self-organising feature maps; telecommunication traffic; transport protocols; DARPA intrusion detection; TCP states; anomaly detection algorithm; data preprocessing method; feature extraction; network traffic flow; quantization model; self organising feature maps; Computer networks; Data preprocessing; Detection algorithms; Feature extraction; Information security; Intrusion detection; Protocols; Quantization; Telecommunication traffic; Traffic control;

fLanguage

English

Publisher

ieee

Conference_Titel

Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on

Print_ISBN

0-7803-8403-2

Type

conf

DOI

10.1109/ICMLC.2004.1378297

Filename

1378297