Mining normal and intrusive activity patterns for computer intrusion detection

Xiangyang Li, Nong Ye

Research output: Contribution to journalArticlepeer-review

1 Scopus citations


Intrusion detection has become an important part of assuring the computer security. It borrows various algorithms from statistics, machine learning, etc. We introduce in this paper a supervised clustering and classification algorithm (CCAS) and its application in learning patterns of normal and intrusive activities and detecting suspicious activity records. This algorithm utilizes a heuristic in grid-based clustering. Several post-processing techniques including data redistribution, supervised grouping of clusters, and removal of outliers, are used to enhance the scalability and robustness. This algorithm is applied to a large set of computer audit data for intrusion detection. We describe the analysis method in using this data set. The results show that CCAS makes significant improvement in performance with regard to detection ability and robustness.

Original languageEnglish (US)
Pages (from-to)226-238
Number of pages13
JournalLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
StatePublished - Dec 1 2004

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'Mining normal and intrusive activity patterns for computer intrusion detection'. Together they form a unique fingerprint.

Cite this