Hierarchical Kohonenen Net for anomaly detection in network security

Suseela T. Sarasamma, Qiuming A. Zhu, Julie Huff

Research output: Contribution to journalArticle

170 Citations (Scopus)

Abstract

A novel multilevel hierarchical Kohonen Net (K-Map) for an intrusion detection system is presented. Each level of the hierarchical map is modeled as a simple winner-take-all K-Map. One significant advantage of this multilevel hierarchical K-Map is its computational efficiency. Unlike other statistical anomaly detection methods such as nearest neighbor approach, K-means clustering or probabilistic analysis that employ distance computation in the feature space to identify the outliers, our approach does not involve costly point-to-point computation in organizing the data into clusters. Another advantage is the reduced network size. We use the classification capability of the K-Map on selected dimensions of data set in detecting anomalies. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark data are used to train the hierarchical net. We use a confidence measure to label the clusters. Then we use the test set from the same KDD Cup 1999 benchmark to test the hierarchical net. We show that a hierarchical K-Map in which each layer operates on a small subset of the feature space is superior to a single-layer K-Map operating on the whole feature space in detecting a variety of attacks in terms of detection rate as well as false positive rate.

Original languageEnglish (US)
Pages (from-to)302-312
Number of pages11
JournalIEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
Volume35
Issue number2
DOIs
StatePublished - Apr 1 2005

Fingerprint

Network security
Intrusion detection
Computational efficiency
Labels

Keywords

  • Computer network security
  • Neural network applications
  • Self-organizing feature maps

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Software
  • Information Systems
  • Human-Computer Interaction
  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this

Hierarchical Kohonenen Net for anomaly detection in network security. / Sarasamma, Suseela T.; Zhu, Qiuming A.; Huff, Julie.

In: IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, Vol. 35, No. 2, 01.04.2005, p. 302-312.

Research output: Contribution to journalArticle

@article{4ace7a09987d4f278b6e45a4f04461b3,
title = "Hierarchical Kohonenen Net for anomaly detection in network security",
abstract = "A novel multilevel hierarchical Kohonen Net (K-Map) for an intrusion detection system is presented. Each level of the hierarchical map is modeled as a simple winner-take-all K-Map. One significant advantage of this multilevel hierarchical K-Map is its computational efficiency. Unlike other statistical anomaly detection methods such as nearest neighbor approach, K-means clustering or probabilistic analysis that employ distance computation in the feature space to identify the outliers, our approach does not involve costly point-to-point computation in organizing the data into clusters. Another advantage is the reduced network size. We use the classification capability of the K-Map on selected dimensions of data set in detecting anomalies. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark data are used to train the hierarchical net. We use a confidence measure to label the clusters. Then we use the test set from the same KDD Cup 1999 benchmark to test the hierarchical net. We show that a hierarchical K-Map in which each layer operates on a small subset of the feature space is superior to a single-layer K-Map operating on the whole feature space in detecting a variety of attacks in terms of detection rate as well as false positive rate.",
keywords = "Computer network security, Neural network applications, Self-organizing feature maps",
author = "Sarasamma, {Suseela T.} and Zhu, {Qiuming A.} and Julie Huff",
year = "2005",
month = "4",
day = "1",
doi = "10.1109/TSMCB.2005.843274",
language = "English (US)",
volume = "35",
pages = "302--312",
journal = "IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics",
issn = "1083-4419",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "2",

}

TY - JOUR

T1 - Hierarchical Kohonenen Net for anomaly detection in network security

AU - Sarasamma, Suseela T.

AU - Zhu, Qiuming A.

AU - Huff, Julie

PY - 2005/4/1

Y1 - 2005/4/1

N2 - A novel multilevel hierarchical Kohonen Net (K-Map) for an intrusion detection system is presented. Each level of the hierarchical map is modeled as a simple winner-take-all K-Map. One significant advantage of this multilevel hierarchical K-Map is its computational efficiency. Unlike other statistical anomaly detection methods such as nearest neighbor approach, K-means clustering or probabilistic analysis that employ distance computation in the feature space to identify the outliers, our approach does not involve costly point-to-point computation in organizing the data into clusters. Another advantage is the reduced network size. We use the classification capability of the K-Map on selected dimensions of data set in detecting anomalies. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark data are used to train the hierarchical net. We use a confidence measure to label the clusters. Then we use the test set from the same KDD Cup 1999 benchmark to test the hierarchical net. We show that a hierarchical K-Map in which each layer operates on a small subset of the feature space is superior to a single-layer K-Map operating on the whole feature space in detecting a variety of attacks in terms of detection rate as well as false positive rate.

AB - A novel multilevel hierarchical Kohonen Net (K-Map) for an intrusion detection system is presented. Each level of the hierarchical map is modeled as a simple winner-take-all K-Map. One significant advantage of this multilevel hierarchical K-Map is its computational efficiency. Unlike other statistical anomaly detection methods such as nearest neighbor approach, K-means clustering or probabilistic analysis that employ distance computation in the feature space to identify the outliers, our approach does not involve costly point-to-point computation in organizing the data into clusters. Another advantage is the reduced network size. We use the classification capability of the K-Map on selected dimensions of data set in detecting anomalies. Randomly selected subsets that contain both attacks and normal records from the KDD Cup 1999 benchmark data are used to train the hierarchical net. We use a confidence measure to label the clusters. Then we use the test set from the same KDD Cup 1999 benchmark to test the hierarchical net. We show that a hierarchical K-Map in which each layer operates on a small subset of the feature space is superior to a single-layer K-Map operating on the whole feature space in detecting a variety of attacks in terms of detection rate as well as false positive rate.

KW - Computer network security

KW - Neural network applications

KW - Self-organizing feature maps

UR - http://www.scopus.com/inward/record.url?scp=17444432965&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=17444432965&partnerID=8YFLogxK

U2 - 10.1109/TSMCB.2005.843274

DO - 10.1109/TSMCB.2005.843274

M3 - Article

C2 - 15828658

AN - SCOPUS:17444432965

VL - 35

SP - 302

EP - 312

JO - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

JF - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

SN - 1083-4419

IS - 2

ER -