Papers by Charlie Isaksson
The goal of intrusion detection is to identify attempted or ongoing attacks on a computer system ... more The goal of intrusion detection is to identify attempted or ongoing attacks on a computer system or network. Many attacks aim to compromise computer networks in an online manner. Traffic anomalies have been an important indication of such attacks. Challenges in the detections lie in modeling of the large continuous streams of data and performing anomaly detection in an online manner. This paper presents a data mining technique to assess the risks of local anomalies based on synopsis obtained from a global spatiotemporal modeling approach. The proposed model is proactive in the detection of various types of traffic related attacks such as distributed denial of service (DDoS). It is incremental, scalable and thus suitable for online processing. Algorithm analysis shows the time efficiency of the proposed technique. The experiments conducted with a DARPA dataset demonstrate that compared with a frequency based anomaly detection model, the false alarm rate caused by the proposed model is significantly mitigated without losing a high detection rate.
In this paper we propose a data stream clustering algorithm, called Self Organizing density based... more In this paper we propose a data stream clustering algorithm, called Self Organizing density based clustering over data Stream (SOStream). This algorithm has several novel features. Instead of using a fixed, user defined similarity threshold or a static grid, SOStream detects structure within fast evolving data streams by automatically adapting the threshold for density-based clustering. It also employs a novel cluster updating strategy which is inspired by competitive learning techniques developed for Self Organizing Maps (SOMs). In addition, SOStream has built-in online functionality to support advanced stream clustering operations including merging and fading. This makes SOStream completely online with no separate offline components. Experiments performed on KDD Cup'99 and artificial datasets indicate that SOStream is an effective and superior algorithm in creating clusters of higher purity while having lower space and time requirements compared to previous stream clustering algorithms.
Risk Leveling of Network Traffic Anomalies
To classify time series by nearest neighbors, we need to specify or learn one or several distance... more To classify time series by nearest neighbors, we need to specify or learn one or several distance measures. We consider variations of the Mahalanobis distance measures which rely on the inverse covariance matrix of the data. Unfortunately -for time series data -the covariance matrix has often low rank. To alleviate this problem we can either use a pseudoinverse, covariance shrinking or limit the matrix to its diagonal. We review these alternatives and benchmark them against competitive methods such as the related Large Margin Nearest Neighbor Classification (LMNN) and the Dynamic Time Warping (DTW) distance. As we expected, we find that the DTW is superior, but the Mahalanobis distance measures are one to two orders of magnitude faster. To get best results with Mahalanobis distance measures, we recommend learning one distance measure per class using either covariance shrinking or the diagonal approach.
Uploads
Papers by Charlie Isaksson