Unsupervised Network Anomaly Detection
In this paper, the authors present a completely unsupervised approach to detect attacks, without relying on signatures, labeled traffic, or training. The unsupervised detection of network attacks represents an extremely challenging goal. The structure of the anomaly identified by the clustering algorithms is used to automatically construct specific filtering rules that characterize its nature, providing easy-to-interpret information to the network operator. In addition, these rules are combined to create an anomaly signature, which can be directly exported towards standard security devices like IDSs, IPSs, and/or firewalls.