CANN: An intrusion detection system based on combining cluster centers and nearest neighbors

Lin, Wei; Ke, Shih Wen; Tsai, Chih‐Fong

doi:10.1016/j.knosys.2015.01.009

Cited by 407 publications

(180 citation statements)

References 35 publications

(20 reference statements)

Supporting

Mentioning

177

Contrasting

Unclassified

Order By: Relevance

“…One of its influential application is for developing efficient intrusion detection systems (e.g. [2], [22], [5]- [8]). Om H et al [23], offered a hybrid model that combines k-Means and two classifier methods: k-nearest neighbor and Naive Bayes.…”

Section: Related Workmentioning

confidence: 99%

“…Methods that are based on integrating and combining different techniques are showing better results. In this paper our focus is on an already existing method named CANN which is using k-MEANS clustering along with KNN classifier [8].our goal is to improve KNN classifier performance to increase accuracy and detection rate and reduce false alarm rate of this method. in order to achieve this objective, we involved another effective factor in addition to nearest neighbor(KNN) to our classification process, that factor is farthest neighbor and we named this technique k farthest neighbor or k-FN.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Intrusion Detection using a Novel Hybrid Method Incorporating an Improved KNN

Shapoorifard¹,

Shamsinejad²

2017

IJCA

View full text Add to dashboard Cite

These days, with the tremendous growth of network-based service and shared information on networks, the risk of network attacks and intrusions increases too, therefore network security and protecting the network is getting more significance than before. Intrusion Detection System (IDS) is one of the solutions to detect attacks and anomalies in the network. The ever rising new intrusion or attack types causes difficulties for their detection, therefore Data mining techniques has been widely applied in network intrusion detection systems for extracting useful knowledge from large number of network data to detect intrusions. Many clustering and classification algorithms are used in IDS, therefore improving the functionality of these algorithms will improve IDS performance. This paper focuses on improving KNN classifier in existing intrusion detection task which combines K-MEANS clustering and KNN classification.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Intrusion Detection using a Novel Hybrid Method Incorporating an Improved KNN

Shapoorifard¹,

Shamsinejad²

2017

IJCA

View full text Add to dashboard Cite

show abstract

“…There is also a drive to design hybrid systems that can leverage the computing power of the CPU and GPU for the purpose of accelerating network intrusion detection [1] [11]. Parallel implementations of clustering algorithms have been used before to detect malicious behaviour on the network and in antivirus software [13]. The framework presented in this paper is designed in a versatile manner and can benefit from the extra computing power available in a common GPU.…”

Section: Parallelismmentioning

confidence: 99%

Network Traffic Anomaly Detection Using Shallow Packet Inspection and Parallel K-means Data Clustering

Velea¹,

Ciobanu²,

Mărgărit³

et al. 2017

STUD INFORM CONTROL

View full text Add to dashboard Cite

IT infrastructures around the world are targeted by malicious entities that want to steal data or compromise services. Protection measures for complex computer networks are expensive to deploy and maintain, and often do not offer protection against zero-day exploits. In-depth analysis of incoming and outgoing traffic can be problematic from legal and technical perspectives. The current work explores the possibility of implementing reliable security measures using machine learning algorithms to perform traffic classification. The new framework is mapped on existing parallel hardware and aims to provide a versatile solution for the detection of anomalous behaviour in network traffic through k-means clustering and without performing deep packet inspection. Trace analysis metadata is obtained by exploiting the features available in the pcapng file format. K-means clustering is implemented using multiple parallel APIs and a comparative analysis is presented together with performance considerations.

show abstract

“…In our previous work [1,2], we proposed an advanced incident response framework whose main goal is to identify more dangerous IDS alerts [3][4][5][6][7][8][9][10][11][12] using the darknet traffic. In addition, we carried out a practical correlation analysis of IDS alerts and the darknet traffic, focusing on internal hosts that sent packet(s) to the darknet and showed how security operators are able to effectively identify internal attack hosts using the darknet traffic [13].…”

Section: Introductionmentioning

confidence: 99%

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

et al. 2017

View full text Add to dashboard Cite

Abstract:The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet ('the darknet traffic') do not contain a payload. This means that we are unable to get real malware from the darknet traffic. This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet traffic and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet traffic. The experimental results show that correlation analysis between the darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware infected them.

show abstract

CANN: An intrusion detection system based on combining cluster centers and nearest neighbors

Cited by 407 publications

References 35 publications

Intrusion Detection using a Novel Hybrid Method Incorporating an Improved KNN

Intrusion Detection using a Novel Hybrid Method Incorporating an Improved KNN

Network Traffic Anomaly Detection Using Shallow Packet Inspection and Parallel K-means Data Clustering

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

Contact Info

Product

Resources

About