Research Of Anomaly Intrusion Detection Method Based On Clustering Algorithm

With the rapid development of information and technology as well as the Internet's further popularization, the network technology is widely used in all aspects of human being's life and production, greatly promoting the development of social productivity. However, meanwhile, all kinds of network attacks and damages are increasing. Therefore, the network security of technology is becoming more and more important.Intrusion detection technology is a security mechanisms, aiming at dynamic monitoring, preventing and resisting the intrusion, which makes effective compensate for shortcomings of traditional security technology. Clustering algorithm based on anomaly intrusion detection method can train and establish normal behavior model on non-tagged collected data, and then detect intrusions. It does not require any prior knowledge, and may detect new unknown intrusion. Therefore, it has very good prospects, and current research in this area has become very active.The first of this article is to introduce the intrusion detection technology and the concept of clustering analysis and knowledge of the system, and then elaborated the present situation and development of clustering algorithm method of anomaly detection at home and abroad, pointed out that the anomaly detection algorithm based on clustering method is a kind of unsupervised anomaly detection, at last,for the current lack of unsupervised detection technology, proposed based on the density and gravity thinking unsupervised anomaly detection algorithm. It can train and detect intrusions at no marked data, furthermore effectively detect unknown intrusions. Be directed to the characteristics of network data with mixed attributes, the data space is divided into categories corresponding attributes and attribute values of the two sub-space in the entire data space, the distance between the data space is divided into two sub-distance, and defined the various distances. The main idea of the algorithm is:The firstly, using an efficient density clustering algorithm to clustering training set. After clustering will have a certain number of clusters, in this based on the use of gravity between the size of a cluster and the cluster similarity measure to calculate all the gravitational force between any two clusters the size of the similarity matrix obtained, and then be elected according to the value of the similarity of the two merging clusters, the overall difference in degree as the clustering quality evaluation criteria, if the two clusters merged cluster generated by the new value is less than the overall difference in degree in the pre-merger one of two clusters, the two clusters will merge and update the similarity matrix, otherwise do not merge. Then according to the assume that the number of normal behavior much larger than the number of invasion, Marked the clustering results From the cluster as normal or invasion. Finally, used detection algorithm to detect the test set data. Unsupervised clustering anomaly detection algorithm based on density and gravity thinking consists of five modules, namely, the density clustering algorithm module, block merging algorithm based on thought gravity, noise processing module, the labeling algorithm module and the detection algorithm module. Merging algorithm aims at effectively reducing the block error rate, which is the core module of the algorithm. Algorithm analysis and experimental results show that the algorithm has high detection rate which can effectively detect unknown attacks, particularly, can significantly reduce the detection false alarm rate.