A comparison of clustering methods
- for unsupervised anomaly detection in network traffic
Koffi Bruno Yao (
koffi@diku.dk)
February 28, 2006
Contents
0.1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1 Introduction 2
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Goal of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . 31.3 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.4 Thesis organization . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Background 6
2.1 Introduction to computer network security . . . . . . . . . . . 62.1.1 Network security . . . . . . . . . . . . . . . . . . . . . 62.1.2 Network intrusion detection systems . . . . . . . . . . 72.1.3 Network anomaly detection . . . . . . . . . . . . . . . 82.1.4 Computer attacks . . . . . . . . . . . . . . . . . . . . . 92.2 Introduction to clustering . . . . . . . . . . . . . . . . . . . . 122.2.1 Notation and definitions . . . . . . . . . . . . . . . . . 122.2.2 The clustering problem . . . . . . . . . . . . . . . . . . 122.2.3 The clustering process . . . . . . . . . . . . . . . . . . 132.2.4 Feature selection . . . . . . . . . . . . . . . . . . . . . 132.2.5 Choice of clustering algorithm . . . . . . . . . . . . . . 132.2.6 Cluster validity . . . . . . . . . . . . . . . . . . . . . . 162.2.7 Clustering tendency . . . . . . . . . . . . . . . . . . . . 172.2.8 Clustering of network traffic data . . . . . . . . . . . . 182.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3 Clustering methods and algorithms 20
3.1 Hierarchical clustering methods . . . . . . . . . . . . . . . . . 213.2 Partitioning clustering methods . . . . . . . . . . . . . . . . . 243.2.1 Squared-error clustering . . . . . . . . . . . . . . . . . 241
CONTENTS
23.2.2 Model-based clustering . . . . . . . . . . . . . . . . . . 273.2.3 Density-based clustering . . . . . . . . . . . . . . . . . 423.2.4 Grid-based clustering . . . . . . . . . . . . . . . . . . . 453.2.5 Online clustering . . . . . . . . . . . . . . . . . . . . . 473.2.6 Fuzzy clustering . . . . . . . . . . . . . . . . . . . . . . 483.3 Discussion of the classical clustering methods . . . . . . . . . 523.4 Combining clustering methods . . . . . . . . . . . . . . . . . . 543.4.1 Two-level clustering with kmeans . . . . . . . . . . . . 543.4.2 Initialisation of clustering algorithms with the resultsof leader clustering . . . . . . . . . . . . . . . . . . . . 603.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
4 Experiments 62
4.1 Design of the experiments . . . . . . . . . . . . . . . . . . . . 624.2 Data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634.2.1 Choice of data set . . . . . . . . . . . . . . . . . . . . . 634.2.2 Description of the feature set . . . . . . . . . . . . . . 654.3 Implementation issues . . . . . . . . . . . . . . . . . . . . . . 694.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5 Evaluation of clustering methods 72
5.1 Evaluation methodology . . . . . . . . . . . . . . . . . . . . . 725.2 Evaluation measures . . . . . . . . . . . . . . . . . . . . . . . 735.2.1 Evaluation measure requirements . . . . . . . . . . . . 745.2.2 Choice of evaluation measures . . . . . . . . . . . . . . 745.3 k-fold cross validation . . . . . . . . . . . . . . . . . . . . . . . 765.4 Discussion and analysis of the experiment results . . . . . . . 765.4.1 Results of the experiments . . . . . . . . . . . . . . . . 765.4.2 Analysis of the experiment results . . . . . . . . . . . . 79
6 Conclusion 86
6.1 Resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 866.2 Achievements . . . . . . . . . . . . . . . . . . . . . . . . . . . 876.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886.4 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Search History:
Result 00 of 00
00 results for result for
p.
E.3 and E.4. The number of clusters is 49 for Comp of Clustering Method
1.4K
Reads
0
Readcasts
0
Embed Views
Notes
Load more
