# “k-means clustering” Algorithm and its Real Use-Cases in Security Domain

**👉 K-Means Clustering** is an ** Unsupervised Learning algorithm**, which groups the unlabeled dataset into different clusters. Here ,K defines the number of pre-defined clusters that need to be created in the process, as if K=2, there will be two clusters, and for K=3, there will be three clusters, and so on.

K-Means Clusteringis an iterative algorithm that divides the unlabeled dataset into k different clusters in such a way that each dataset belongs only one group that has similar properties.⚡

## How K-means Clustering Algorithm works?

👉 K-means is a centroid-based algorithm, or a distance-based algorithm, where we calculate the distances to assign a point to a cluster. In K-Means, each cluster is associated with a centroid.

The main objective of the K-Means algorithm is to minimize the sum of distances between the points and their respective cluster centroid.⚡

*💠 The algorithm works as follows:*

- First we initialize k points, called means, randomly.
- We categorize each item to its closest mean and we update the mean’s coordinates, which are the averages of the items categorized in that mean so far.
- We repeat the process for a given number of iterations and at the end, we have our clusters.

# K-means Algorithm Based Network Intrusion Detection System

*👉 In this modern age, information technology (IT) plays a role in a number of different fields. And therefore, the role of security is very important to control and assist the flow of activities over the network. Intrusion detection (ID) is a kind of security management system for computers and networks. There are many approaches and methods used in ID.*

Here , we are going to discuss about the full pattern recognition and machine learning algorithm performance for the four attack categories, such as

Denial-ofService (DoS)attacks (deny legitimate request to a system),Probing attacks(information gathering attacks),user-to-root (U2R) attacks(unauthorized access to local super-user), andremote-to-local (R2L) attacks(unauthorized local access from a remote machine).⚡

Security has become a crucial issue for computer systems. IDS can protect to our computer network. Different classification and clustering algorithms have been proposed in recent year for IDS.

**🔹Clustering**, based on distance measurements performed on objects, and classifying objects (invasions) into clusters. Unlike classification, classification because there is no information about the label of learning data is an unattended learning process. For anomalous detection, we can use welding and in-depth analysis to guide the ID model. Measurement of distance or similarity plays an important role in collecting observations into homogeneous groups. Jacquard affinity measurement, the longest common order scale (LCS), is important that the event is to awaken the size to determine if normal or abnormal.

**🔹Euclidean distance** is approximately two vectors X and Y in space Euclidean ‘n’ dimensions, the size of the distance widely used for vector space. Euclidean distance can be defined as the square root of the total difference of the same vector dimension. Finally, grouping and classification algorithms need to be channeled effectively, massively, it possible to handle dimension of network data and heterogeneity.

We use** K-means algorithm** to cluster dataset connections. The K-means algorithm is one of the widely recognized clustering tools. ** K-means groups the data in accordance with their characteristic values into a user-specified number of K distinct clusters. Data categorized into the same cluster have identical feature values.** K, the positive integer denoting the number of clusters, needs to be provided in advance. The steps involved in a K-means algorithm are given consequently:

1. K points denoting the data to be clustered are placed into the space. These points denote the primary group centroids.

2. The data are assigned to the group that is adjacent to the centroid.

3. The positions of all the K centroids are recalculated as soon as all the data are assigned.

4. Repeat steps 2 and 3 until the centroid unchanged.

This results in the partition of data into groups. The preprocessed dataset partition is performed using the K-means algorithm with K value as 5. Because we have the dataset(taken as an example of any dataset) that contains normal and 4 attack categories such as DoS, Probe, U2R, R2L.⚡

# CONCLUSION

Above comparative analysis of hybrid machine learning technique to detect Denial of Service (DoS) attacks, Probing (Probe) attacks, User-to-Root (U2R) attacks and Remoteto-Local (R2L) attacks. We can know the similar nature of attack group by using K-means algorithm. And then we use Random Forest algorithm to classify normal and attack connections.✨

k-means can typically be applied to data that has a smaller number of dimensions, is numeric, and is continuous. think of a scenario in which you want to make groups of similar things from a randomly distributed collection of things; k-means is very suitable for such scenarios.

Future work includes analyzing with other data mining algorithms to classify attack categories and how it can detect on other real time environment dataset.

In this article, I have discussed some use-case of k-means clustering🎲 in security domain. Hope you like it and enjoy reading this article and connect with me on Linkedin for more such technical concepts and tasks.⚡

Thankyou🌻