• DocumentCode
    2844244
  • Title

    An unsupervised network anomaly detection approach by k-Means clustering & ID3 algorithms

  • Author

    Yasami, Vasser ; Khorsandi, Siavash ; Mozaffari, Saadat Pour ; Jalalian, Arash

  • Author_Institution
    Dept. of Comput. Eng., Amirkabir Univ. of Technol. (AUT), Tehran
  • fYear
    2008
  • fDate
    6-9 July 2008
  • Firstpage
    398
  • Lastpage
    403
  • Abstract
    This paper presents a novel method to combine k-means clustering and ID3 decision trees learning algorithms for unsupervised classification of anomalous and normal activities in computer network ARP traffic. The k-means clustering method is first applied to the normal training instances to partition it into k clusters using Euclidean distance similarity. Some anomaly criteria has been defined and applied to the captured ARP traffic to generate normal training instances. An ID3 decision tree is constructed on each cluster. Anomaly scores from the k-means clustering algorithm and decisions of the ID3 decision trees are extracted. A special algorithm is used to combine results of the two algorithms and obtain final anomaly score values. The threshold rule is applied for making decision on the test instance normality or abnormality. Experimental results show that the proposed approach has a high precision, sensitivity and performance.
  • Keywords
    computer networks; decision making; decision trees; pattern classification; pattern clustering; protocols; security of data; telecommunication traffic; unsupervised learning; Euclidean distance similarity; ID3 decision trees learning algorithms; address resolution protocol traffic; anomalous activities; computer network; decision making; k-means clustering; normal activities; unsupervised classification; unsupervised network anomaly detection approach; Classification algorithms; Classification tree analysis; Clustering algorithms; Clustering methods; Computer networks; Decision trees; Euclidean distance; Partitioning algorithms; Telecommunication traffic; Testing; Address Resolution Protocol (ARP); Anomaly Detection System (ADS); ID3 Decision Trees; K-Means Clustering; Unsupervised Classification;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computers and Communications, 2008. ISCC 2008. IEEE Symposium on
  • Conference_Location
    Marrakech
  • ISSN
    1530-1346
  • Print_ISBN
    978-1-4244-2702-4
  • Electronic_ISBN
    1530-1346
  • Type

    conf

  • DOI
    10.1109/ISCC.2008.4625717
  • Filename
    4625717