Learning Anomalies in IDSs by Means of Multivariate Finite Mixture Models

In this work a fast method for the unsupervised fitting of a set of data by means of Gaussian mixtures has been studied and developed. It allows to implement applications to Information Security, with major on anomaly detection Intrusion Detection Systems (IDSs). Its key feature is the online selection of the number of mixture components together with the fitting parameter of each component. With many components the description is accurate. However, the computational burden increases as well. The best compromise between the description accuracy and the computational complexity is given by a derivation of the Minimum Message Length (MML) information criterion. The normal network behavior is assumed to be interpreted by the cluster with the highest covariance matrix, while the other smaller components are considered representing anomalies. We tested our technique with the well known KDD99 Cup data set, in order to clearly compare our findings with the other state of the art methods. Our results show the effectiveness of this algorithm in finding anomalies within normal network traffic, and encourage for further improvements.