A clustering-based anomaly intrusion detector for a host computer

Sang Hyun Oh, Won Suk Lee

Research output: Contribution to journalArticlepeer-review

7 Citations (Scopus)


For detecting the anomalous behavior of a user effectively, most researches have concentrated on statistical techniques. However, since statistical techniques mainly analyze the average behavior of a user's activities, some anomalies can be detected inaccurately. In addition, it is difficult to model intermittent activities performed periodically. In order to model the normal behavior of a user closely, a set of various features can be employed. Given an activity of a user, the values of those features that are related to the activity represent the behavior of the activity. Furthermore, activities performed in a session of a user can be regarded as a semantically atomic transaction. Although it is possible to apply clustering technique to these values to extract the normal behavior of a user, most of conventional clustering algorithms do not consider any transactional boundary in a data set. In this paper, a transaction-based clustering algorithm for modeling the normal behavior of a user is proposed. Based on the activities of the past transactions, a set of clusters for each feature can be found to represent the normal behavior of a user as a concise profile. As a result, any anomalous behavior in an online transaction of the user can be effectively detected based on the profile of the user.

Original languageEnglish
Pages (from-to)2086-2094
Number of pages9
JournalIEICE Transactions on Information and Systems
Issue number8
Publication statusPublished - 2004 Aug

All Science Journal Classification (ASJC) codes

  • Software
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition
  • Electrical and Electronic Engineering
  • Artificial Intelligence


Dive into the research topics of 'A clustering-based anomaly intrusion detector for a host computer'. Together they form a unique fingerprint.

Cite this