A framework for adaptive anomaly detection based on Support Vector Data Description

To improve the efficiency and usability of adaptive anomaly detection system, we propose a new framework based on Support Vector Data Description (SVDD) method. This framework includes two main techniques: online change detection and unsupervised anomaly detection. The first one enables automatically obtain model training data by measuring and distinguishing change caused by intensive attacks from normal behavior change and then filtering most intensive attacks. The second retrains model periodically and detects the forthcoming data. Results of experiments with the KDD'99 network data show that these techniques can handle intensive attacks effectively and adapt to the concept drift while still detecting attacks. As a result, false positive rate is reduced from 13.43% to 4.45%.