The challenging issues of Computer Network and Databases are not only the intrusion detection but also the reduction of false positive and increase of detection rate. In any intrusion detection system, anomaly detection mainly focuses on modeling the normal behavior of the users and detecting the deviations from normal behavior which are assumed to be potential intrusions or treat. Several techniques have already been successfully tried for this purpose. However, the normal and suspicious behavior are hard to predict as there is no precise boundary differentiat-ing one from another. Here rough set theory and fuzzy set theory come into the picture. In this article, a hybrid approach based on rough set theory and intuitionistic fuzzy set theory is pro-posed for the detection of anomaly. The proposed approach is a classification approach which takes the advantages of softness properties both rough and fuzzy set theory to deal with uncer-tainty in the dataset. The algorithm classifies the data instances in such a way that they can be expressed using natural language. The experimental results with a real world dataset and a syn-thetic dataset show that the proposed algorithm has normal true positive rates of 91.989% and 96.99% and attack true positive rates of 91.289% and 96.29% respectively

Anomaly Detection in real time data is accepted as a vital research area. Clustering has effectively been tried for this purpose. As the datasets are real time, the time of generating of the data is also important. In this article, we introduce a mixture of partitioning and agglomerative hierarchical approach to detect anomalies from such datasets. It is a two-phase method which follows partitioning approach first and then agglomerative hierarchical approach. The dataset can have mixed attributes. In phase-1, a unified metric defined on mixed attributes is used. The same is also used for merging of similar clusters in phase-2. Also, we have kept the track of time attribute of each data instance which produces the clusters with their lifetimes in phase-1. Then in phase-2, we merge the similar clusters. While merging, the similar clusters, the lifetimes of the corresponding clusters with overlapping cores are to be superimposed producing fuzzy time intervals. This way, each cluster will have an associated fuzzy lifetime. The data instances either belonging sparse clusters or not belonging to any of the clusters can be treated as anomalies. The efficacy of the algorithms can be established using both complexity analysis as well as experimental studies.