Clustering and classification algorithm for computer intrusion detection

As an important part of information security, computer intrusion detection is used to capture malicious activities occurring in computer network systems. Intrusion detection techniques fall into two general categories: anomaly detection and signature recognition, which complement each other. This research focuses on signature recognition techniques for intrusion detection. Intrusion detection data is very complex and has many attributes. Many existing signature recognition techniques for intrusion detection cannot handle huge amounts of complex data from computer network systems to detect intrusions in an automatic, scalable and incremental manner.; This research proposes a scalable data mining algorithm, Clustering and Classification Algorithm - Supervised (CCA-S), for automatically and incrementally learning intrusion signatures that are then used to detect intrusions. An extension of CCA-S, called CCA-S Extended (CCA-SE), is used for processing data sets whose records have both numeric and nominal attributes. In training, based on distance and target class of the data points of normal and intrusive activities, these algorithms perform supervised clustering to group training data points into clusters. The produced clusters are used in classification to predict the target class of testing data points. Several post-processing techniques, including redistribution and a special hierarchical clustering method, are used to improve the robustness and prediction accuracy. The two algorithms are tested on two large data sets for intrusion detection, respectively. The prediction accuracy, scalability and robustness of the algorithms are analyzed and compared with those of other data mining techniques. The computation cost of the two algorithms is linear to the number of data records, while the prediction accuracy is comparable to other popular data mining algorithms and robust to the input order and noise of the training data points. The testing results demonstrate the promising performance of CCA-S and CCA-SE for intrusion detection.