A Comparison Between the Silhouette Index and the Davies-Bouldin Index in Labelling IDS Clusters

One of the most difficult problems in the design of an anomaly based intrusion detection system (IDS) that uses clustering is that of labelling the obtained clusters, i.e. determining which of them correspond to ”good” behaviour on the network/host and which to ”bad” behaviour. In this paper, a new clusters’ labelling strategy, which makes use of a clustering quality index is proposed for application in such an IDS. The aim of the new labelling algorithm is to detect compact clusters containing very similar vectors and these are highly likely to be attack vectors. Two clustering quality indexes have been tested and compared: the Silhouette index and the Davies-Bouldin index. Experimental results comparing the effectiveness of a multiple classifier IDS with the two indexes implemented show that the system using the Silhouette index produces slightly more accurate results than the system that uses the Davies-Bouldin index. However, the computation of the Davies-Bouldin index is much less complex than the computation of the Silhouette index, which is a very important advantage regarding eventual real-time operation of an IDS that employs clustering.