Go With the Flow: Clustering Dynamically-Defined NetFlow Features for Network Intrusion Detection with DynIDS

The paper presents DynIDS, a network intrusion detection approach that flags malicious activity without previous knowledge about attacks or training data. DynIDS dynamically defines and extracts features from network data, and uses clustering algorithms to aggregate hosts with similar behavior. All previous clustering-based network intrusion detection approaches use a static set of features, restricting their ability to detect certain attacks. Instead, we use a set of features defined dynamically, at runtime, avoiding that restriction without falling into the curse of dimensionality, something that we believe is essential for the adoption of this kind of approaches. We evaluated DynIDS experimentally with an evaluation and a real-world dataset, obtaining better F-Score than alternative solutions.