Combining Similarity and Dissimilarity: a Novel Approach for the Anomaly Intrusion Detection

Conference: WIAR '2012 - National Workshop on Information Assurance Research
04/18/2012 at Riyadh, Kingdom of Saudi Arabia

Proceedings: WIAR '2012

Pages: 6Language: englishTyp: PDF

Personal VDE Members are entitled to a 10% discount on this title

Derhab, Abdelouahid (Department of Theories and Computer Engineering, CERIST research center, Algiers, Algeria)
Bouras, Abdelghani (Industrial Engineering dept, College of Engineering, King Saud University, Riyadh, Kingdom of Saudi Arabia)

In this paper, we study the anomaly detection problem with the goal of minimizing memory and time complexity. Prior works need to check the whole training database to detect anomalous objects, and hence they are not scalable for large training databases. In this paper, we propose two similarity (resp., dissimilarity) measures. We show that similarity and dissimilarity can be described by one linear equation. Based on this result, we take a novel approach to address the anomalybased intrusion detection. This approach converts all the profiles composing the training database into 2-dimensional geometric points such that these points lie on the the same line y = n-x. A simple comparison operation is sufficient to decide whether an object is normal or anomalous. Complexity analysis shows that our IDS outperforms the classical anomaly-based IDS in terms of memory and time complexity.