A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection

Document Type

Article

Publication Date

2015

Abstract

Anomaly detection (AD) use within the network intrusion detection field of research, or network intrusion AD (NIAD), is dependent on the proper use of similarity and distance measures, but the measures used are often not documented in published research. As a result, while the body of NIAD research has grown extensively, knowledge of the utility of similarity and distance measures within the field has not grown correspondingly. NIAD research covers a myriad of domains and employs a diverse array of techniques from simple k-means clustering through advanced multiagent distributed AD systems. This review presents an overview of the use of similarity and distance measures within NIAD research. The analysis provides a theoretical background in distance measures and a discussion of various types of distance measures and their uses. Exemplary uses of distance measures in published research are presented, as is the overall state of the distance measure rigor in the field. Finally, areas that require further focus on improving the distance measure rigor in the NIAD field are presented. Abstract © IEEE.

Comments

The "Link to Full Text" button on this page loads the open access article version of record, hosted at IEEE. The publisher retains permissions to re-use and distribute this article.

The linked article is subject to the following terms by the publisher: © 2015 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

DOI

10.1109/COMST.2014.2336610

Source Publication

IEEE Communications Surveys & Tutorials

Share

COinS