Combining Similarity and Dissimilarity: a Novel Approach for the Anomaly Intrusion Detection

Konferenz: WIAR '2012 - National Workshop on Information Assurance Research
18.04.2012 in Riyadh, Kingdom of Saudi Arabia

Tagungsband: WIAR '2012

Seiten: 6Sprache: EnglischTyp: PDF

Persönliche VDE-Mitglieder erhalten auf diesen Artikel 10% Rabatt

Derhab, Abdelouahid (Department of Theories and Computer Engineering, CERIST research center, Algiers, Algeria)
Bouras, Abdelghani (Industrial Engineering dept, College of Engineering, King Saud University, Riyadh, Kingdom of Saudi Arabia)

In this paper, we study the anomaly detection problem with the goal of minimizing memory and time complexity. Prior works need to check the whole training database to detect anomalous objects, and hence they are not scalable for large training databases. In this paper, we propose two similarity (resp., dissimilarity) measures. We show that similarity and dissimilarity can be described by one linear equation. Based on this result, we take a novel approach to address the anomalybased intrusion detection. This approach converts all the profiles composing the training database into 2-dimensional geometric points such that these points lie on the the same line y = n-x. A simple comparison operation is sufficient to decide whether an object is normal or anomalous. Complexity analysis shows that our IDS outperforms the classical anomaly-based IDS in terms of memory and time complexity.