In the existing approaches of multifarious knowledge based anomaly detection for network traffic, the priori knowledge labelled by human experts has to be consecutively updated for identification of new anomalies. Because anomalies usually show different patterns from the majority of network activities, it is hard to detect them based on the priori knowledge. Unsupervised anomaly detection using autonomous techniques without any priori knowledge is an effective strategy to overcome this drawback. In this paper, we propose a novel model of Unsupervised Anomaly Detection approach based on Artificial Immune Network (UADAIN) that consists of unsupervised clustering, cluster partition and anomaly detection. Our model uses the aiNet based unsupervised clustering approach to generate cluster centroids from network traffic, and the Cluster Centroids based Partition algorithm (CCP) then coarsely partition cluster centroids in the training phase as the self set (normal rules) and antibody set (anomalous rules). In test phase, to keep consecutive evolution of selves and antibodies, we introduce the Immune Network based Anomaly Detection model (INAD) to automatically learn and evolve the self set and antibody set. To evaluate the effectiveness of UADAIN, we conduct simulation experiments on ISCX 2012 IDS dataset and NSL-KDD dataset. In comparison with two popular anomaly detection approaches based on K-means clustering and aiNet-HC clustering, respectively, the experiment results demonstrate that UADAIN achieves better detection performance in detecting anomalies of network traffic.
- Artificial immune network
- Network traffic
- Unsupervised anomaly detection