Intrusion Detection in Unstructured Contexts Using On-line Clustering and Novelty Detection

Eduardo Alves Ferreira, Rodrigo Fernandes Mello


The characterization of processes behavior is usually considered whenperforming intrusion detection. Several works characterize specific aspects of systemsand attempt to detect novelties in that context, associating observed anomalies to at-tack events. Such approach is limited or even useless when the observed context isunstructured, i.e. when the monitor generates text-based log files or a variable numberof application attributes. In order to overcome such drawback, this paper considersthe use of single-pass clustering techniques to quantize unstructured data and generatetime series, using algorithms with low computational complexity, applicable in a real-world scenario. Afterward, novelty detection techniques are employed on such seriesto distinguish behavior anomalies, which are associated with intrusions. We evaluatedthe approach using a system characterization dataset and confirmed that it aggregatescontext information to represent the behavior of applications as time series, wherenovelty detection can be successfully performed.


Copyright (c) 2018 Eduardo Alves Ferreira, Rodrigo Fernandes Mello

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.