ADWICE - Anomaly Detection with Real-Time Incremental Clustering

13 years 5 months ago
ADWICE - Anomaly Detection with Real-Time Incremental Clustering
Abstract. Anomaly detection, detection of deviations from what is considered normal, is an important complement to misuse detection based on attack signatures. Anomaly detection in real-time places hard requirements on the algorithms used, making many proposed data mining techniques less suitable. ADWICE (Anomaly Detection With fast Incremental Clustering) uses the first phase of the existing BIRCH clustering framework to implement fast, scalable and adaptive anomaly detection. We extend the original clustering algorithm and apply the resulting detection mechanism for analysis of data from IP networks. The performance is demonstrated on the KDD data set as well as on data from a test network at a telecom company. Our experiments show a good detection quality (95 %) and acceptable false positives rate (2.8 %) considering the online, real-time characteristics of the algorithm. The number of alarms is then further reduced by application of the aggregation techniques implemented in the Saf...
Kalle Burbeck, Simin Nadjm-Tehrani
Added 31 Oct 2010
Updated 31 Oct 2010
Type Conference
Year 2004
Authors Kalle Burbeck, Simin Nadjm-Tehrani
Comments (0)