Network Intrusion Detection using a Secure Ranking of Hidden Outliers

Network intrusion detection has recently attracted a lot of attention in both research and industry of computer network security. By intrusion, attackers try to perform malicious activities inside the network using harmless-looking connections. Network intrusion detection systems try to differentiate these attacks from normal connections by grouping them into families based on similarity. As new forms of intrusions different from the already detected ones are usually seen, clustering of network connections is widely used to deal with that. In data mining, clustering aims at dividing objects into different groups (called clusters) such that objects in one cluster are similar to each other and dissimilar to objects from other clusters. Some sparse objects deviate from all available clusters and are not dense enough to form a new cluster. These objects are called outliers and they usually do not belong to any of available clusters. For network security, when clustering the connections in the network, many connections could be considered as outliers when compared to the clusters of normal connections but nevertheless they are not real intrusions. Considering every outlier connection as a network intrusion will result in too many false alarms. Previous solutions which handled this problem were not effective enough for detecting intrusions which are hidden in subspaces of the connection data. We suggest an oultier ranking algorithm for ranking these outlier connections. Using a scoring function, our algorithm gives higher degree of “outlierness” for strongly-deviated outliers hidden in subspaces of the network connection data. We see another challenge when seeking for intrusions in the network. Attackers usually try slight modifications of previously-successful intrusions for producing new attacks. Our novel scoring function carefully gives higher degree of outlierness for outliers found in subspaces which contain known intrusions. Thus we should considerably reduce false alarms since only strongly-deviated outliers and outliers detected in suspected subspaces of the connections will be considered as intrusions.