In this paper we present “A Novel clustering algorithm” which is a partition based clustering algorithm that works well for data with mixed numeric and categorical features for classifying anomalous and normal activities in a computer network. The proposed method first partitions the training instances into k-clusters using dissimilarity measurement. On each cluster representing a density region of normal or anomaly instances we apply either of the two rules 1.Threshold rule 2. Bayes decision rule to obtain a final decision. We report our results of applying k-prototype clustering algorithm to the extensively gathered network audit data for the 1998 DARPA intrusion detection evaluation program

Kandregula, Balaji

Nuka Raju, Kolli

International Journal of Innovative Technology and Research (IJITR)

Nuka Raju Kolli* et al.(IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCHVolume No.2, Issue No. 4, June – July 2014, 1044 – 1048.2320 –5547 @ 2013 http://www.ijitr.com All rights Reserved. Page | 1044A Novel Cost Metric Evaluation Method forAnomaly DetectionNUKA RAJU KOLLIAssociate ProfessorDadi Institute of Engineering & TechnologyAnakapalle,BALAJI KANDREGULAAssociate ProfessorDadi Institute of Engineering & TechnologyAnakapalleAbstract:- In this paper we present “A Novel clustering algorithm” which is a partition based clusteringalgorithm that works well for data with mixed numeric and categorical features for classifying anomalousand normal activities in a computer network. The proposed method first partitions the training instances intok-clusters using dissimilarity measurement. On each cluster representing a density region of normal oranomaly instances we apply either of the two rules 1.Threshold rule 2. Bayes decision rule to obtain a finaldecision. We report our results of applying k-prototype clustering algorithm to the extensively gatherednetwork audit data for the 1998 DARPA intrusion detection evaluation program.Index Terms: Anomaly detection, clustering, k-prototype clustering, k-means clustering.I. INTRODUCTIONIntrusion detection systems aim at detecting attacksagainst computer systems and networks, or againstinformation systems in general, as it is difficult toprovide provably secure information systems andmaintain them in such a secure state for their entirelifetime and for every utilization. Therefore, the taskof intrusion detection systems is to monitor the usageof such systems and to detect the apparition ofinsecure states. Intrusion detection technology [1] isan important component of information securitytechnology and an important supplement totraditional computer security mechanisms. Intrusiondetection can be categorized into two types: one isanomaly detection. It firstly stores users normalbehavior into feature database, then comparescharacters of current behavior with characters offeature database. If the deviation is large enough, Wecan say that the current behavior is anomaly orintrusion. Although having a low false negative rateand high false alarm rate, it can detect unknown typesof attacks. The other is misuse detection. Itestablishes a feature library according to the knownattacks, and then matches the happened behaviors todetect attacks. It can only detect known types ofattacks, but is unable to detect new types of attacks.Therefore misuse detection has a low false alarm rateand a high false negative rate.There are many methods applied into intrusiondetection [7] , such as methods based on statistics,methods based on data mining, methods based onmachine learning and so on. In recent years, datamining technology is developing rapidly andincreasingly mature and now it is gradually applied toIntrusion Detection field. Clustering is a data miningtechnique where data points are clustered togetherbased on their feature values and a similarity metric.Clustering algorithms are generally categorized undertwo different categories- partitional and hierarchical.Partitional clustering algorithms divide the data setinto non-overlapping groups [9, 10]. Algorithms k-mean, k-modes, etc. fall under this category.Hierarchical algorithms use the distance matrix asinput and create a hierarchical set of clusters.Hierarchical clusters are may be agglomerative ordivisive, each of which has different ways ofdetermining cluster membership and representation.Bloedorn [2] use k-means approach for networkintrusion detection.II. RELATED WORKK-means is the most important flat clusteringalgorithm. Its objective is to minimize the averagesquared Euclidean distance of documents from theircluster centers where a cluster center is defined as themean or centroid of the documents in a cluster:The definition assumes that documents arerepresented as length-normalized vectors in a real-valued space in the familiar way. They play a similarrole here. The ideal cluster in K-means is a spherewith the centroid as its center of gravity. Ideally, theclusters should not overlap. Our desiderata for classesNuka Raju Kolli* et al.(IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCHVolume No.2, Issue No. 4, June – July 2014, 1044 – 1048.2320 –5547 @ 2013 http://www.ijitr.com All rights Reserved. Page | 1045in Rocchio classification were the same. Thedifference is that we have no labeled training set inclustering for which we know which documentsshould be in the same cluster.A measure of how well the centroids represent themembers of their clusters is the residual sum ofsquares or RSS , the squared distance of each vectorfrom its centroid summed over all vectors:WhereRSS is the objective function in -means and ourgoal is to minimize it. Since is fixed, minimizingRSS is equivalent to minimizing the average squareddistance, a measure of how well centroids representtheir documents.2.1 Contribution of the PaperThe contribution of the paper is enumerated asfollows:• The paper presents a k-prototype clusteringalgorithm for classifying the data as normal oranomaly using Threshold rule or Bayes decision rule.• The paper evaluates the performance of k-prototype clustering algorithm for anomaly detectionand compares with the k-means clustering algorithm.The rest of the paper is organized as follows: Insection2, review of k-prototype clustering algorithm.In section3, describes related work. In section4, wediscuss experimental datasets. In section5, we discussresults. In section6, we conclude our work.III. REVIEW OF K-PROTOTYPECLUSTERING ALGORITHMThe k-prototype algorithm [3] which work well formixed as well as pure numeric and categorical datasets. This uses joint probability distributions based onprobability of co-occurrence with other attributes. K-prototype Clustering AlgorithmFig1:the k-means algorithm for most IRapplications, the vectors xn belongs to R power Mshould be length-normalized.BeginInitialization – Allocate data objects to a pre-determined k number of clusters randomly.• For every categorical attribute• Compute distance δ(r, s) between two categoricalvalues r and s.• For every numeric attribute• Compute significance of attribute• Assign data objects to different clustersrandomly.Repeat steps 1–21. Compute cluster centers for C1, C2, C3, , , ,,Ck.2. Each data object di ( i = 1, 2, . . . , n) {n isnumber of data objects in data set} is assigned toits closest cluster center using ( i, j ) =d ,CUntil no elements change clusters or a pre-definednumber of iterations are reached. End.The cost function of k-prototype is specified inEq.1, which is to be minimized for clusteringmixed data sets.Where denotes the distance of object di from itsclosest cluster center Cj , for numeric attributes only,wt denotes the significance of tth numeric attributeNuka Raju Kolli* et al.(IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCHVolume No.2, Issue No. 4, June – July 2014, 1044 – 1048.2320 –5547 @ 2013 http://www.ijitr.com All rights Reserved. Page | 1046which is to be computed from the data set,denotes the distance between thedata object di and its closest cluster center Cj incategorical attributes only. Let Ai, k denote the kthvalue for categorical attribute Ai. Let the totalnumber of distinct values for Ai be pi. Then thisdistance is defined asAlgorithm ALGO_DISTANCE [3] computes thedistance δ(x, y) .IV. ANOMALY DETECTION WITH K-PROTOTYPE CLUSTERINGALGORITHMI am provided with a training data set (Xi , Yi ) i=1,2, . . . .N, where Xi represents an n-dimensionalcontinuous valued vector and Yi represents thecorresponding class label with “0” for normal and“1” for anomaly.The k-prototype algorithm has the following steps:Apply the steps listed at 2nd section to get k clustersFor each test instance Z:• Compute the distance D(Ci, Z), i=1,2,….k. Findcluster Cr that is closest to Z.• Classify Z as an anomaly or a normal instanceusing either the Threshold rule or the Bayes Decisionrule. The Threshold rule for classifying a test instanceZ that belongs to cluster Cr is:Assign Z->1 if [[P(ω)]↓(1γ)|Z€C)] ↓( γ))>  τOtherwise Z->0 Where “0” and “1” represent normaland anomaly classes in cluster Cr ,[[P(ω)]↓(0γ)|Z€C)] ↓( γ)) represents the probability ofanomaly instances in cluster Cr , and τ is predefinedthreshold. A test instance is classified as an anomalyonly if it belongs to a cluster that has anomalyinstances in majority.Assign Z->1 if [[P(ω)]↓(1γ)|Z€C)] ↓( γ))>[[P(ω)]↓(oγ)|Z€C)] ↓( γ)) Otherwise Z->0,where ω0Represents the normal class in cluster cr,[[P(ω)]↓(oγ)|Z€C)] ↓( γ)) is the probability of normalinstances and in cluster crIn our experiments I use Bayes Decision rule forclassifying the given test instance as normal oranomaly activity.V. DATA SETSIn this section, I discuss the experimental data setNetwork Anomaly Data (NAD), obtained by featureextracting the 1998 MIT-DARPA network trafficcorpora [5,8]. The 1998 MIT-DARPA data sets [4]were collected on an evaluation test bed simulatingnetwork traffic similar to that seen between an AirForce base (INSIDE network) and the internet(OUTSIDE network). Approximately seven weeks oftraining data and two weeks of test data werecollected by a sniffer deployed between the INSIDEand OUTSIDE network. Thirty eight different attackswere launched from the outside network. The trainingand testing data subsets were randomly drawn fromthe original NAD, the no of dimensions are 11, no ofinstances in training data is restricted to utmost 5,000instances, with 70 percent of them being normal andthe rest being anomaly instances. The testing data setcontain utmost 2,500 unseen instances, with 80percent of them being normal and the remaining 20percent being anomaly instances.VI. RESULTS AND DISCUSSIONThe first step of K-means is to select as initial clustercenters K randomly selected documents, the seeds .The algorithm then moves the cluster centers aroundin space in order to minimize RSS. This is doneiteratively by repeating two steps until a stoppingcriterion is met: reassigning documents to the clusterwith the closest centroid; and recomputing eachcentroid based on the current members of its cluster.From nine iterations of the K-means algorithm for aset of points.I can apply one of the following terminationconditions. A fixed number of iterations I has beencompleted. This condition limits the runtime of theclustering algorithm, but in some cases the quality ofthe clustering will be poor because of an insufficientnumber of iterations.Assignment of documents to clusters (the partitioningfunction ) does not change between iterations.Except for cases with a bad local minimum, thisproduces a good clustering, but runtimes may beunacceptably long.Centroids do not change between iterations. Thisis equivalent to not changingNuka Raju Kolli* et al.(IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCHVolume No.2, Issue No. 4, June – July 2014, 1044 – 1048.2320 –5547 @ 2013 http://www.ijitr.com All rights Reserved. Page | 1047Terminate when RSS falls below a threshold. Thiscriterion ensures that the clustering is of a desiredquality after termination. In practice, I need tocombine it with a bound on the number of iterationsto guarantee termination.Terminate when the decrease in RSS falls below athreshold . For small , this indicates that I areclose to convergence. Again, I need to combine itwith a bound on the number of iterations to preventvery long runtimes.I now show that -means converges by proving thatmonotonically decreases in each iteration. Iwill use decrease in the meaning decrease or does notchange in this section. First, RSS decreases in thereassignmentstep since each vector is assigned to the closestcentroid, so the distance it contributes todecreases. Second, it decreases in the recomputationstep because the new centroid is the vector forwhich reaches its minimum.Fig1: a k-means example for k=2 in R2. Theposition of the two centroids converges after nineiterations.In this section, I present and compare our results ofthe k-prototype clustering algorithm with BayesDecision rule for classifying anomaly detection withk-means method [6] over NAD-98 data set. I use fourmeasures for comparing performance as shown in Fig1:Fig.2 Performance of the k-means, k-prototypeClustering methods for Anomaly Detection over theNAD-1998 data set.The same efficiency problem is addressed by K-medoids , a variant of K-means that computesmedoids instead of centroids as cluster centers. Idefine the medoid of a cluster as the document vectorthat is closest to the centroid. Since medoids aresparse document vectors, distance computations arefast.Fig3:Estimated minimal residual sum of squares asa function of the number of clusters in K-means.In this clustering of 1203 Reuters-RCV1 documents,there are two points where the min curveflattens: at 4 clusters and at 9 clusters.The performance measures precision, TPR determinehow the k-means and k-prototype clustering methodsperform in identifying anomaly instances. Theperformance measures accuracy determines thenumber of normal and anomaly instances correctlyclassified. The measures FPR determine the numberof normal instances that incorrectly classified asanomaly.VII. CONCLUSIONIn this paper, I developed the k-prototype clusteringmethod for anomaly detection. In this k-prototypemethod, cost function and distance measure is basedon co-occurrence of values. The k-prototypeclustering method is first applied to partition thetraining instances into k disjoint clusters, and then Iapply the Bayes Decision rule for classification ofNuka Raju Kolli* et al.(IJITR) INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGY AND RESEARCHVolume No.2, Issue No. 4, June – July 2014, 1044 – 1048.2320 –5547 @ 2013 http://www.ijitr.com All rights Reserved. Page | 1048given instance as normal or anomaly, therebyimproving the overall classification performance. Icompare our results with k-means for classificationover the NAD-98 data set.REFERENCES[1] Qun Yang, “A survey of Intrusion DetectionTechnology [J],” Network SecurityTechnology & Application, 2008.[2] Bloedorn, E., A. D. Christiansen, W.Hill, C.Skorupka, L. M. Talbot, and J.Tivel (2001,August). Data mining for network intrusiondetection: How to get started .http://citeseer.nj.nec.com/523955.html.[3] Amir Ahmad and Lipika Dey “A k-meanclustering algorithm for mixed numeric andcategorical data.” Data & KnowledgeEngineering 63 (2007) 503–527].[4] R.P. Lippman, D.J. Fried, I. Graf, J. Haines, K.Kendall, D.McClung, D. Weber, S. Webster,D. Wyschogrod, R.K. Cunningham, and M.A.Zissman, “Evaluating Intrusion DetectionSystems: The 1998 DARPA Off-LineIntrusion Detection Evaluation,” Proc.DARPAInformation Survivability Conf. andExposition (DISCEX ’00),pp. 12-26, Jan.2000.[5] J. Haines, L. Rossey, R.P. Lippman, and R.K.Cunningham,“Extending the DARPA OfflineIntrusion Detection Evaluation,” Proc.DARPA Information Survivability Conf. andExposition (DISCEX’01),June 2001.

A NOVEL COST METRIC EVALUATION METHOD FOR ANOMALY DETECTION

http://www.ijitr.com/index.php/ojs/article/download/340/pdf

A NOVEL COST METRIC EVALUATION METHOD FOR ANOMALY DETECTION

Abstract

Similar works

Full text

Available Versions

International Journal of Innovative Technology and Research (IJITR)