Skip to main content
Min–Max Hyperellipsoidal Clustering for Anomaly Detection in Network Security
IEEE Transactions on Systems, Man, and Cybernetics
  • Suseela T. Sarasamma, University of Nebraska at Omaha
  • Qiuming Zhu, University of Nebraska at Omaha
Document Type
Publication Date

A novel hyperellipsoidal clustering technique is presented for an intrusion-detection system in network security. Hyperellipsoidal clusters toward maximum intracluster similarity and minimum intercluster similarity are generated from training data sets. The novelty of the technique lies in the fact that the parameters needed to construct higher order data models in general multivariate Gaussian functions are incrementally derived from the data sets using accretive processes. The technique is implemented in a feedforward neural network that uses a Gaussian radial basis function as the model generator. An evaluation based on the inclusiveness and exclusiveness of samples with respect to specific criteria is applied to accretively learn the output clusters of the neural network. One significant advantage of this is its ability to detect individual anomaly types that are hard to detect with other anomaly-detection schemes. Applying this technique, several feature subsets of the tcptrace network-connection records that give above 95% detection at false-positive rates below 5% were identified.


© 2006 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Citation Information
Suseela T. Sarasamma and Qiuming Zhu. "Min–Max Hyperellipsoidal Clustering for Anomaly Detection in Network Security" IEEE Transactions on Systems, Man, and Cybernetics Vol. 36 Iss. 4 (2006) p. 887 - 901
Available at: