Language selection

Government of Canada / Gouvernement du Canada

Search

An Unsupervised Clustering Algorithm for Intrusion Detection

From National Research Council Canada

Download
  1. (PDF, 275 KiB)
AuthorSearch for: ; Search for: ; Search for:
FormatText, Article
ConferenceAdvances in Artificial Intelligence, The 16th Conference of the Canadian Society for Computational Studies of Intelligence (AI 2003), June 11-13, 2003, Halifax, Nova Scotia, Canada
Abstract
As the Internet spreads to each corner of the world, computers are exposed to miscellaneous intrusions from the World Wide Web. Thus, we need effective intrusion detection systems to protect our computers from the intrusions. Traditional instance-based learning methods can only be used to detect known intrusions since these methods classify instances based on what they have learned. They rarely detect new intrusions since these intrusion classes has not been learned before. We expect an unsupervised algorithm to be able to detect new intrusions as well as known intrusions.<br /><br />In this paper, we propose a clustering algorithm for intrusion detection, called Y-means. This algorithm is developed based on the H-means+ algorithm [2] (an improved version of the K-means algorithm [1]) and other related clustering algorithms of K-means. Y-means is able to automatically partition a data set into a reasonable number of clusters so as to classify the instances into 'normal' clusters and 'abnormal' clusters. It overcomes two shortcomings of K-means: degeneracy and dependency on the number of clusters.<br /><br />The results of simulations that run on KDD-99 data set [3] show that Y-means is an effective method for partitioning large data set. An 89.89% detection rate and a 1.00% false alarm rate were achieved with the Y-means algorithm.
Publication date
In
  • Advances in Artificial Intelligence, The 16th Conference of the Canadian Society for Computational Studies of Intelligence (AI 2003) [Proceedings].
LanguageEnglish
NRC numberNRCC 45843
NPARC number5764311
Export citationExport as RIS
Report a correctionReport a correction (opens in a new tab)
Record identifier2820b823-8731-4927-a235-4050e28fe6bf
Record created2009-03-29
Record modified2021-01-05
Date modified: