Research Of Network Intrusion Detection Based On Data Mining

The amount of network data, and the data rate are both rising everyday on the Internet.New types of network intrusion continues to emerge. As a result, for intrusion detection, anincrease in accuracy and efficiency plus a decrease in the requirements of expert labeling isneeded. Among the existing detection methods the unsupervised are often low in accuracy andefficiency however they are still valuable because of the ability to function without expertlabeling. The supervised and semi-supervised methods are already high in accuracy andefficiency but improvements can still be done. This research distributes the efforts in the threedetection methods, including unsupervised, supervised and semi-supervised methods, to boosttheir accuracy and efficiency.(1) For unsupervised intrusion detection, we use topology learning. First, data reductionis employed to reduce samples present in clustering process. Second, we train reducedsamples on improved SOINN (ISOINN). Third, cluster centers are labeled as those in themost populated group normal, the others intrusion. After labeling, a nearest neighbor classifieris generated. Experiment results show that the proposed method shows high detection rate andfast training rate.(2) For supervised intrusion detection, a method based on prototype learning is presented.ISOINN is firstly trained separately on normal data and intrusion data. Then the clustercenters forms the nearest neighbor classifier. Considering the fact that topology information isnot used in the detection scenario, simplified SOINN (SSOINN) is proposed to increase thetraining speed while at the same time maintaining useful information. To further boostaccuracy, multi-view detection method is proposed. Experiment results show that SSOINN ismore efficient, however the multi-view prototype learning detection method is too high infalse alarm rate.(3) For semi-supervised intrusion detection, we propose a detection method based onclustering. First clustering is run on labeled normal data and unlabeled data. Then twolabeling methods are proposed for labeling the cluster centers. One is direct labeling underuser defined false alarm constraint, and the other is based on nearest neighbor data description (NNDD). Experiment results show that, semi-supervised detection based on k-means anddirect labeling shows high accuracy. Semi-supervised detection based on SSOINN and detectlabeling shows high detection rate when detecting R2L attacks. However the detectionmethods using NNDD is too high in false alarm rate.