O Sang Hyeon , Lee Won Seog

The KIPS Transactions:PartC, Vol. 10, No. 7, pp. 857-866, Dec. 2003
10.3745/KIPSTC.2003.10.7.857,   PDF Download:

Abstract

For detecting an intrusion based on the anomaly of a user’s activities, previous works are concentrated on statistical techniques in order to analyze an audit data set. However, since they mainly analyze the average behavior of a user’s activities, some anomalies can be detected inaccurately. In this paper, a new clustering algorithm for modeling the normal pattern of a user’s activities is proposed. Since clustering can identify an arbitrary number of dense ranges in an analysis domain, it can eliminate the inaccuracy caused by statistical analysis. Also, clustering can be used to model common knowledge occurring frequently in a set of transactions. Consequently, the common activities of a user can be found more accurately. The common knowledge is represented by the occurrence frequency of similar data objects by the unit of a transaction as well as the common repetitive ratio of similar data objects in each transaction. Furthermore, the proposed method also addresses how to maintain identified common knowledge as a concise profile. As a result, the profile can be used to detect any anomalous behavior in an online transaction.

Statistics
Cite this article