An unsupervised network anomaly detection approach by k-Means clustering & ID3 algorithms

This paper presents a novel method to combine k-means clustering and ID3 decision trees learning algorithms for unsupervised classification of anomalous and normal activities in computer network ARP traffic. The k-means clustering method is first applied to the normal training instances to partition it into k clusters using Euclidean distance similarity. Some anomaly criteria has been defined and applied to the captured ARP traffic to generate normal training instances. An ID3 decision tree is constructed on each cluster. Anomaly scores from the k-means clustering algorithm and decisions of the ID3 decision trees are extracted. A special algorithm is used to combine results of the two algorithms and obtain final anomaly score values. The threshold rule is applied for making decision on the test instance normality or abnormality. Experimental results show that the proposed approach has a high precision, sensitivity and performance.