An empirical study on utilizing online k-means clustering for intrusion detection purposes

K-means clustering is widely used in data mining applications. The k-means algorithm is built to pass over the data to be classified in multiple iterations assuming that the whole data is reachable in every iteration. While the pleasure of having the complete data at a time is not available for online data, the online versions of the k-means clustering have to be used when needed. Online data is a notable pattern extensively used in cybersecurity applications such as intrusion detection systems (IDS). In this work, we develop an unsupervised learning-based IDS using an online k-means clustering algorithm. We also measure the IDS efficiency of clustering highly unbalanced online data generated from an IoT network environment attacked by diverse intrusions and using various cluster centers. Besides, the evaluation process was performed for raw (unnormalized) and normalized data records. The performance of online k-means clustering was compared to offline k-means clustering. The results showed that the online clustering method could operate adequately as the offline k-means clustering, especially when used with normalized data traffic scoring an overall clustering purity of 99% for normal packets and 93% for anomaly packets. Besides, the model peaked at an overall F1 score of 99% for normal packet prediction and 94% for anomaly packet prediction.