Mining Network Traffic with the -Means Clustering Algorithm for Stepping-Stone Intrusion Detection
Algorithm 1
Algorithm to estimate the length of a connection chain
Input: k, dataset-1, dataset-2, and dataset-3.
Output: the RTT dataset obtained from the connection chain of length k.
(1) Call the k-means clustering algorithm on dataset-1. Assume σ1 represents the standard derivation outputted based on Equation (2) using the k clusters obtained at the end of the k-means clustering algorithm execution
(2) Call the k-means clustering algorithm on dataset-2. Assume σ2 represents the standard derivation outputted based on Equation (2) using the k clusters obtained at the end of the k-means clustering algorithm execution
(3) Call the k-means clustering algorithm on dataset-3. Assume σ3 represents the standard derivation outputted based on Equation (2) using the k clusters obtained at the end of the k-means clustering algorithm execution
(4) If ,return dataset-1; if σ1 is the smallest one among all three standard derivations, the dataset-1 is obtained from the connection chain of length k
(5) If ,return dataset-2; if σ2 is the smallest one among all three standard derivations, the dataset-2 is obtained from the connection chain of length k
(6) If ,return dataset-3; if σ3 is the smallest one among all three standard derivations, the dataset-3 is obtained from the connection chain of length k
