Networks of various kinds often experience anomalous behavior. Examples include attacks or large data transfers in IP networks, presence of intruders in distributed video surveillance systems, and an automobile accident or an untimely congestion in a road network. System administrators can attempt to prevent such attacks using intrusion detection tools and systems. There are many commercially available Intrusion Detection Systems (IDSs). However, most IDSs lack the capability to detect novel or previously unknown attacks. A special type of IDSs, called Anomaly Detection Systems, develop models based on normal system or network behavior, with the goal of detecting both known and unknown attacks. Anomaly detection systems face many problems including high rate of false alarm, ability to work in online mode, and scalability. This paper presents a selective survey of incremental approaches for detecting anomaly in normal system or network traffic.
 “Kdd cup 1999 data,” October 1999. [Online].Available:http://kdd.ics.uci.edu/databases/kddcup99/ kddcup99.html W. Lee and S. J. Stolfo, “Data mining approaches for intrusion detection,” in Proceedings of the 1998 USENIX Security Symposium, pp. 1-15, 1998, USENIX Association. W. Y. Yu and H.-M. Lee, “An incremental-learning method for supervised anomaly detection by cascading service classifier and ITI decision tree methods,” in Proceedings of the Pacific Asia Workshop on Intelligence and Security Informatics. Berlin, Heidelberg: Springer-Verlag, 2009, pp. 155– 160. K. Burbeck and S. Nadjm-tehrani, “ADWICE – anomaly detection with real-time incremental clustering,” in In Proceedings of the 7th International Conference on Information Security and Cryptology, Seoul, Korea. Springer Verlag, pp. 4007-424, 2004. T. Zhang, R. Ramakrishnan, and M. Livny, “BIRCH: an efficient data clustering method for very large databases,” SIGMOD Rec., vol. 25, no. 2, pp. 103– 114, 1996. C.C. Hsu and Y.-P. Huang, “Incremental clustering of mixed data based on distance hierarchy,” Expert Syst. Appl., vol. 35, no. 3, pp. 1177–1185, 2008.
Anomaly Detection, Incremental, Attack, Clustering.