Intrusion Detection in Unstructured Contexts Using On-line Clustering and Novelty Detection

Eduardo Alves Ferreira, Rodrigo Fernandes Mello
2013 Revista de Informática Teórica e Aplicada  
The characterization of processes behavior is usually considered when performing intrusion detection. Several works characterize specific aspects of systems and attempt to detect novelties in that context, associating observed anomalies to attack events. Such approach is limited or even useless when the observed context is unstructured, i.e. when the monitor generates text-based log files or a variable number of application attributes. In order to overcome such drawback, this paper considers
more » ... use of single-pass clustering techniques to apply a quantization operation to unstructured data and generate time series, using algorithms with low computational complexity, applicable in a real-world scenario. Afterward, novelty detection techniques are employed on such series to distinguish behavior anomalies, which are associated with intrusions. We evaluated the approach using a system characterization dataset and confirmed that it aggregates context information to represent the behavior of applications as time series, where novelty detection can be successfully performed.
doi:10.22456/2175-2745.26211 fatcat:nm3au64lhbezdkjmf7ty525xfq