sesa 15(3): e5

Research Article

A novel intrusion detection method based on OCSVM and K-means recursive clustering

Download254 downloads
  • @ARTICLE{10.4108/sesa.2.3.e5,
        author={Leandros A. Maglaras and Jianmin Jiang},
        title={A novel intrusion detection method based on OCSVM and K-means recursive clustering},
        journal={EAI Endorsed Transactions on Security and Safety},
        volume={2},
        number={3},
        publisher={ICST},
        journal_a={SESA},
        year={2015},
        month={1},
        keywords={Cyber security, SCADA systems, support vector machine, machine learning},
        doi={10.4108/sesa.2.3.e5}
    }
    
  • Leandros A. Maglaras
    Jianmin Jiang
    Year: 2015
    A novel intrusion detection method based on OCSVM and K-means recursive clustering
    SESA
    ICST
    DOI: 10.4108/sesa.2.3.e5
Leandros A. Maglaras1,*, Jianmin Jiang1
  • 1: University of Surrey, Department of Computing, Guildford, UK
*Contact email: l.maglaras@surrey.ac.uk

Abstract

In this paper we present an intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system, based on the combination of One-Class Support Vector Machine (OCSVM) with RBF kernel and recursive k-means clustering. Important parameters of OCSVM, such as Gaussian width o and parameter v affect the performance of the classifier. Tuning of these parameters is of great importance in order to avoid false positives and over fitting. The combination of OCSVM with recursive k- means clustering leads the proposed intrusion detection module to distinguish real alarms from possible attacks regardless of the values of parameters o and v, making it ideal for real-time intrusion detection mechanisms for SCADA systems. Extensive simulations have been conducted with datasets extracted from small and medium sized HTB SCADA testbeds, in order to compare the accuracy, false alarm rate and execution time against the base line OCSVM method.