The Study Of Real-time Intrusion Detection Based On Data Mining

As the development of computer network especially the Internet techniques, network is playing more and more important roles in our daily life as well as work. With nodes of the vast network, more and more sensitive information is being stored and manipulated online, the computer network is more vulnerable to miscellaneously malicious or unauthorized actions, network security is becoming increasingly important. The traditional network security techniques, which are passive defense, such as IA(Identification and Authentication), Firewall and so on, can't already satisfy the need of network security. The intrusion detection, which is active defense technique, has become another important means and the second floor defense in network security. Intrusion detection has become a hot point domain of research. Nowadays, IDS based on signatures fails to be generalized to detect new attacks or attacks without known signatures. Because data mining technique can detect new or unknown attack from the large network connected data, it becomes the hot point domain in the research of intrusion detection.This dissertation mainly focus on intrusion detection based on data mining. The aim is to improve the detection rate and decrease the false alarm rate, and the main research method is clustering analysis. The algorithm and model of intrusion detection are proposed and the corresponding simulation experiments are presented. The main works of this dissertation are summarized as follows:(1) The basic concepts, principles, classification and development of data mining and intrusion detection technique are introduced, and the application background of the data mining in intrusion detection is analyzed. The development and future of intrusion detection based on data mining are proposed.(2) The theoretical foundation of intrusion detection and data mining are analyzed, and the application of clustering technique in intrusion detection are emphasized particularly. Intrusion detection algorithms based on FCM and ant colony optimization clustering are proposed, then the principle and process of those algorithms are analyzed in detail. The computer simulation experiment results illustrate that the algorithms can not only detect some new attacks, from network connection data sets, with high detection rate and low false alarm rate, but also adapt to more general data sets. Clustering analysis can solve some bottleneck problem such as the big data andreal-time in intrusion detection.(3) Based on the research background stated above, a framework of intrusion detection based on clustering analysis and expert system is proposed. It can meet the demand of real-time detection through clustering method and detect new or unknown intrusion. It integrates the virtues of both misuse detection and anomaly detection to improve the detection performance. First, the collected datasets are detected by misuse detection based on expert system, and then the data of no detected intrusion will be removed from data warehouse through anomaly detection by using clustering analysis. When detecting intrusion by clustering analysis, the intrusion is extracted signature, and transmitted to expert signature database, finally for misuse detection. This framework converts unknown attacks to known attacks. The computer simulation experiment results demonstrate that this framework can improve the detection rate and decrease false alarm rate, and satisfy the real-time of clustering detection.