Chapter 1 LEARNING RULES AND CLUSTERS FOR ANOMALY DETECTION IN NETWORK TRAFFIC Philip K. Chan, 1,2 Matthew V. Mahoney, 1 and Muhammad H. Arshad 1 1 Department of Computer Sciences Florida Institute of Technology Melbourne, FL 32901 pkc, mmahoney, marshad@cs.fit.edu 2 Laboratory for Computer Science, NE43-417 Massachusetts Institute of Technology Cambridge, MA 02139 pkc@medg.lcs.mit.edu Abstract Much of the intrusion detection research focuses on signature (misuse) detection, where models are built to recognize known attacks. However, signature detection, by its nature, cannot detect novel attacks. Anomaly detection focuses on modeling the normal behavior and identifying sig- nificant deviations, which could be novel attacks. In this chapter we explore two machine learning methods that can construct anomaly de- tection models from past behavior. The first method is a rule learning algorithm that characterizes normal behavior in the absence of labeled attack data. The second method uses a clustering algorithm to identify outliers. Keywords: anomaly detection, machine learning, intrusion detection 1. Introduction The Internet is one of the most influential innovations in recent his- tory. Though most people use the Internet for productive purposes, some use it as a vehicle for malicious intent. As the Internet links more users together and computers are more prevalent in our daily lives, the Internet and the computers connected to it increasingly become more