Study On The Network Intrusion Detection Approach Based On Kernel Clustering And Sequence Analysis

The Intrusion Detection technique can discover the intrusion behaviors from the traces and rules of the intruder, so it is an active component of critical network security mechanism. By applying the Data Mining-based Intrusion Detection techniques, this paper studies the network intrusion detection approach based on kernel clustering and sequence analysis. Kernel clustering is unsupervised, and sequence analysis can catch easily the characteristics of dense attacks that often occur during a short period. Combining kernel clustering with sequential pattern mining dose not want to insure the amount ratio of the normal data and exceptional data in each training data set. DoS and the attacks that appear un-frequently can be detected efficiently by the presented technique.Firstly, a network intrusion detection approach is designed by kernel clustering. By using the kernel function, the input space is mapped to a high dimension feature space where the data are expected to be more separable, the initial centroids in the feature space are selected by applying the KRA algorithm, and the large and small clusters are partitioned and the outliers can be split from the large clusters iteratively after the kk-means clustering. As a result, the audit data can be clustered better. Secondly, the closed sequential patterns mining algorithm CloSpan is improved according to the restrictions that is composed of the axis properties and reference properties. During the pattern mining, the sequence location information tables are applied in I-extension and S-extension, and the local frequent item sets of the postfix are obtained at the same time. This method dose not want to generate the prefix-projected database of the sequence.Based on kernel clustering and the closed sequential pattern mining, the two intrusion detection methods are proposed. The first one is to label directly the small anomaly clusters after kernel clustering, apply the closed sequential pattern mining to the large clusters in order to detect the DoS attack in theselarge clusters, and label the large normal or anomaly clusters. The second one trains the multi-sample-sets. After kernel clustering on each sample set, the closed sequential patterns are mined from every clusters, and the consequential cluster patterns will be matched with those got from last training in order to judge the similarity of the clusters. Finally each cluster will be labeled based on its rarity. The experiment results show that the presented techniques can get the high detection rate and low false positive error rate in the network detection system.