Min-max hyperellipsoidal clustering for anomaly detection in network security

Suseela T. Sarasamma, Qiuming A. Zhu

Research output: Contribution to journalArticle

22 Citations (Scopus)

Abstract

A novel hyperellipsoidal clustering technique is presented for an intrusion-detection system in network security. Hyperellipsoidal clusters toward maximum intracluster similarity and minimum intercluster similarity are generated from training data sets. The novelty of the technique lies in the fact that the parameters needed to construct higher order data models in general multivariate Gaussian functions are incrementally derived from the data sets using accretive processes. The technique is implemented in a feedforward neural network that uses a Gaussian radial basis function as the model generator. An evaluation based on the inclusiveness and exclusiveness of samples with respect to specific criteria is applied to accretively learn the output clusters of the neural network. One significant advantage of this is its ability to detect individual anomaly types that are hard to detect with other anomaly-detection schemes. Applying this technique, several feature subsets of the tcptrace network-connection records that give above 95% detection at false-positive rates below 5% were identified.

Original languageEnglish (US)
Pages (from-to)887-901
Number of pages15
JournalIEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics
Volume36
Issue number4
DOIs
StatePublished - Aug 1 2006

Fingerprint

Network security
Feedforward neural networks
Intrusion detection
Data structures
Neural networks

Keywords

  • Accretive construction
  • Anomaly detection
  • Confidence measurement
  • Hyperellipsoidal clustering
  • Neural networks
  • Self-organizing map (SOM)

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Software
  • Information Systems
  • Human-Computer Interaction
  • Computer Science Applications
  • Electrical and Electronic Engineering

Cite this

Min-max hyperellipsoidal clustering for anomaly detection in network security. / Sarasamma, Suseela T.; Zhu, Qiuming A.

In: IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics, Vol. 36, No. 4, 01.08.2006, p. 887-901.

Research output: Contribution to journalArticle

@article{5faa42495ba2481fb28aadce0985397a,
title = "Min-max hyperellipsoidal clustering for anomaly detection in network security",
abstract = "A novel hyperellipsoidal clustering technique is presented for an intrusion-detection system in network security. Hyperellipsoidal clusters toward maximum intracluster similarity and minimum intercluster similarity are generated from training data sets. The novelty of the technique lies in the fact that the parameters needed to construct higher order data models in general multivariate Gaussian functions are incrementally derived from the data sets using accretive processes. The technique is implemented in a feedforward neural network that uses a Gaussian radial basis function as the model generator. An evaluation based on the inclusiveness and exclusiveness of samples with respect to specific criteria is applied to accretively learn the output clusters of the neural network. One significant advantage of this is its ability to detect individual anomaly types that are hard to detect with other anomaly-detection schemes. Applying this technique, several feature subsets of the tcptrace network-connection records that give above 95{\%} detection at false-positive rates below 5{\%} were identified.",
keywords = "Accretive construction, Anomaly detection, Confidence measurement, Hyperellipsoidal clustering, Neural networks, Self-organizing map (SOM)",
author = "Sarasamma, {Suseela T.} and Zhu, {Qiuming A.}",
year = "2006",
month = "8",
day = "1",
doi = "10.1109/TSMCB.2006.870629",
language = "English (US)",
volume = "36",
pages = "887--901",
journal = "IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics",
issn = "1083-4419",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "4",

}

TY - JOUR

T1 - Min-max hyperellipsoidal clustering for anomaly detection in network security

AU - Sarasamma, Suseela T.

AU - Zhu, Qiuming A.

PY - 2006/8/1

Y1 - 2006/8/1

N2 - A novel hyperellipsoidal clustering technique is presented for an intrusion-detection system in network security. Hyperellipsoidal clusters toward maximum intracluster similarity and minimum intercluster similarity are generated from training data sets. The novelty of the technique lies in the fact that the parameters needed to construct higher order data models in general multivariate Gaussian functions are incrementally derived from the data sets using accretive processes. The technique is implemented in a feedforward neural network that uses a Gaussian radial basis function as the model generator. An evaluation based on the inclusiveness and exclusiveness of samples with respect to specific criteria is applied to accretively learn the output clusters of the neural network. One significant advantage of this is its ability to detect individual anomaly types that are hard to detect with other anomaly-detection schemes. Applying this technique, several feature subsets of the tcptrace network-connection records that give above 95% detection at false-positive rates below 5% were identified.

AB - A novel hyperellipsoidal clustering technique is presented for an intrusion-detection system in network security. Hyperellipsoidal clusters toward maximum intracluster similarity and minimum intercluster similarity are generated from training data sets. The novelty of the technique lies in the fact that the parameters needed to construct higher order data models in general multivariate Gaussian functions are incrementally derived from the data sets using accretive processes. The technique is implemented in a feedforward neural network that uses a Gaussian radial basis function as the model generator. An evaluation based on the inclusiveness and exclusiveness of samples with respect to specific criteria is applied to accretively learn the output clusters of the neural network. One significant advantage of this is its ability to detect individual anomaly types that are hard to detect with other anomaly-detection schemes. Applying this technique, several feature subsets of the tcptrace network-connection records that give above 95% detection at false-positive rates below 5% were identified.

KW - Accretive construction

KW - Anomaly detection

KW - Confidence measurement

KW - Hyperellipsoidal clustering

KW - Neural networks

KW - Self-organizing map (SOM)

UR - http://www.scopus.com/inward/record.url?scp=33746809369&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33746809369&partnerID=8YFLogxK

U2 - 10.1109/TSMCB.2006.870629

DO - 10.1109/TSMCB.2006.870629

M3 - Article

C2 - 16903372

AN - SCOPUS:33746809369

VL - 36

SP - 887

EP - 901

JO - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

JF - IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics

SN - 1083-4419

IS - 4

ER -