Title: Unsupervised anomaly detection using an evolutionary extension of k-means algorithm

Authors: Wei Lu, Issa Traore

Addresses: Department of Electrical and Computer Engineering, University of Victoria, P.O. Box 3055 STN CSC, Victoria, British Columbia, V8W 3P6, Canada. ' Department of Electrical and Computer Engineering, University of Victoria, P.O. Box 3055 STN CSC, Victoria, British Columbia, V8W 3P6, Canada

Abstract: In this paper, we propose a new unsupervised anomaly detection framework for network intrusions. The framework consists of a new clustering algorithm named I-means and new anomalousness metrics named IP Weights. I-means is an evolutionary extension of k means algorithm that estimates automatically the number of clusters for a set of data. IP Weights allow the automatic conversion of regular packet features into a 3-dimensional numerical feature space. Online and offline evaluations show not only strong detection effectiveness, but also strong runtime efficiency, with response times falling within a few seconds ranges.

Keywords: intrusion detection; unsupervised anomaly detection; clustering algorithms; Gaussian mixture model; evolutionary computation; information security; computer security; network intrusions.

DOI: 10.1504/IJICS.2008.018513

International Journal of Information and Computer Security, 2008 Vol.2 No.2, pp.107 - 139

Published online: 26 May 2008 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article