Study And Application Of Outlier Mining Algorithm In Intrusion Detection

With the fast development of the Internet, people demand urgently on technology with the ability of discovering new types of intrusion coming out endlessly. Anomaly Detection can solve this problem in theory and many technologies were developed. Data Mining Technology, a tool that can discover information and knowledge in large data set, is used many fields, including anomaly detection. There are often some data points called outliers, which are different from normal points or the pattern of data set in the real life. Identifying outliers from data set aims at researching on the small pattern of data set. In network actives, generally speaking, there are different features between attacks and normal actives, and the attacks'amount is obviously less than normal actives', so detecting attacks is researching on the small pattern of network activities. It is valuable to introduce outlier data mining to detecting attacks in theory and in practice. Because of the advantage of approaching outlier's nature, the algorithm D nk , based on distance, is used widely. Aimed at the original D nk algorithm's shortcoming, high time complexity, several algorithms such as loop-nest, based on index and based on partition etc, were improved. The algorithm based on partition with good performance is a wonderful method to detecting attacks with huge data and high dimensions. According to the partition idea, an improved algorithm is developed in this paper. Firstly, distance based clustering algorithm is used to partition the data set into many sub-data sets. Secondly the inherent features of sub-data sets are analyzed and the k-nearest neighbor distance of every point is computed. At last, defining the n top of points as the outliers according to the k-nearest neighbor distance in descending. The algorithm is simple and effective in theory and applied wonderfully to anomaly detection. Two kinds of data set from KDD CUP1999 data set are filtered in the paper. According to two attribute features, the performance is evaluated through detection rate and false alarm rate. The experimental results indicate that the algorithm is very successful in picking different types of attacks in data set based on different attribute features. Generally, the algorithm achieved good effects in intrusion detection.