Use Case of K-Means Clustering Algorithm : Intrusion Detection System

Satyam Singh
3 min readSep 4, 2021


Content of this Blog

  • What is K-Means Clustering ?
  • What is Intrusion Detection System ?
  • Use Case : Network Intrusion Detection System

What is K-Means Clustering ?

  • K-Means Clustering is an unsupervised learning algorithm which groups the unlabeled dataset into different clusters.
  • ‘K’ here defines the number of pre-defined clusters that would be created in the process.
  • It is a centroid-based algorithm within which each cluster is associated with a centroid. Main aim of this algorithm is to minimize the sum of distance between the data point and their corresponding clusters
  • The algorithm takes the unlabeled dataset as input and divides it into k-number of clusters. The process is repeated till the best clusters is not found.

What is Intrusion Detection System ?

  • Intrusion Detection System(IDS) is a device or software application that monitors a network for malicious activity or policy violations. Any malicious activity or violation is typically reported or collected centrally using a security information and event management system.
  • Classification of Intrusion Detection Types includes Network intrusion detection systems (NIDS) & Host-based intrusion detection systems (HIDS).

Use Case : Network Intrusion Detection System

What is Network Intrusion Detection System ?

A network-based intrusion detection system (NIDS) detects malicious traffic on a network. NIDS usually require promiscuous network access in order to analyze all traffic, including all unicast traffic. NIDS are passive devices that do not interfere with the traffic they monitor.

K-Means Clustering Algorithm could be used to understand the nature of attacks detected using Intrusion Detection System. The nature of attacks includes the following:

  • Denial-of-Service (DoS) : A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.
  • Probing (Probe) : Probing attacks are an invasive method for bypassing security measures by observing the physical silicon implementation of a chip. As an invasive attack, one directly accesses the internal wires and connections of a targeted device and extracts sensitive information.
  • User-to-Root (U2R) : A User-to-Root attack the attacker first succeeds in gaining a foothold on the remote system in the form of a user session, ideally in the form of an interactive shell or TELNET window.
  • Remote-to-Local (R2L) : A Remote to Local attack (sometimes also referred to as a Remote to User attack) is conceptually similar to the user-to-root attack but is more modest in its ultimate ambition. Such an attack is transacted when an attacker sends packets to the target host that are intended to disclose vulnerabilities that would enable the attacker to exploit a local user’s privileges.