Title :
MCAD: Multiple connection based anomaly detection
Author :
He, Xin ; Parameswaran, Sri
Author_Institution :
Sch. of Comput. Sci. & Eng., Univ. of New South Wales, Sydney, NSW, Australia
Abstract :
This paper describes a novel multi-connection based anomaly detection system. Previous techniques consume enormous amounts of time due to pre-processing features (unsupervised anomaly detection), or due to the lead time in creating specialized rules (supervised anomaly detection). The system described in this paper, MCAD, uses the observed premise that anomalous connections by one attacker are very similar to each other (e.g. an attacker will try to use similar connections to probe a network). MCAD tests for similarity amongst connections within clustered groups, and if the similarity for connections of the group is above a predetermined threshold, then these connections are deemed anomalous. MCAD was tested on two weeks of MIT/LL DARPA dataset. The total number connections tested was over a million. From this testing, MCAD was able to detect 15 types of multiple connection based attacks in which 14 types of attacks were fully detected while the 15th attack was detected 2/3 of the time. The false positive rate was 0.466%.
Keywords :
security of data; MCAD; MIT-LL DARPA dataset; multiple connection; supervised anomaly detection; unsupervised anomaly detection; Australia; Computer crime; Computer science; Computer vision; Data mining; Intrusion detection; Probes; Telecommunication traffic; Testing; Unsupervised learning;
Conference_Titel :
Communication Systems, 2008. ICCS 2008. 11th IEEE Singapore International Conference on
Conference_Location :
Guangzhou
Print_ISBN :
978-1-4244-2423-8
Electronic_ISBN :
978-1-4244-2424-5
DOI :
10.1109/ICCS.2008.4737333
