Abstract
In anomaly intrusion detection, modeling the normal behavior of activities performed by a user is an important issue. To extract normal behavior from the activities of a user, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches model only the static behavior of a user in the audit data set. This drawback can be overcome by viewing a user's continuous activities as an audit data stream. This paper proposes an anomaly intrusion detection method that continuously models the normal behavior of a user over the audit data stream. A set of features is used to represent the characteristics of an activity. For each feature, clusters of feature values corresponding to activities observed thus far in an audit data stream are identified by a statistical grid-based clustering algorithm for a data stream. Each cluster represents the frequency range of the activities with respect to the feature. As a result, without the physical maintenance of any historical activity of the user, the user's new activities can be continuously reflected in the ongoing results. At the same time, various statistics of activities related to the identified clusters are also modeled to improve the performance of anomaly detection. The proposed algorithm is illustrated by a series of experiments to identify various characteristics.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
