Network Intrusion Detection using a Secure Ranking of Hidden Outliers

Network intrusion detection has recently attracted a lot of attention in both research and industry of computer network security. By intrusion, attackers try to perform malicious activities inside the network using harmless-looking connections. Network intrusion detection systems try to differentiate these attacks from normal connections. In data mining, clustering aims at dividing objects into different groups (called clusters) such that objects in one cluster are similar to each other and dissimilar to objects from other clusters. Some sparse objects deviate from all available clusters and are not dense enough to form a new cluster. These objects are called outliers. In this work we present an algorithm for ranking outlier network connections according to its degree of “outlierness” by a novel using of subspace clustering techniques for network intrusion. Using a scoring function, our algorithm gives higher degree of outlierness for strongly-deviated outliers hidden in subspaces of the network connection data. We see another challenge when seeking intrusions in the network. Attackers usually try slight modifications of previously-successful intrusions for producing new attacks. Our novel scoring function carefully gives higher degree of outlierness for outliers found in subspaces which contain known intrusions. Thus we should considerably reduce false alarms since only strongly-deviated outliers and outliers detected in suspected subspaces of the connections will be considered as intrusions.

Authors: Hassani M., Seidl T.
Published in: Proc. of the seventh International Computing Conference in Arabic (ICCA 2011), Riyadh, Saudi Arabia (to appear)
Language: EN
Year: 2011
Conference: ICCA
Url:ICCA 2011
Type: Conference papers (peer reviewed)
Research topic: Data Analysis and Knowledge Extraction