Research On Intrusion Detection Techniques Based On Unsupervised Neural Networks

With the development of computer networks especially the Internet techniques, networks are playing more and more important roles in our daily life as well as study and work. As computer networks grow rapidly, more and more sensitive information is being stored online, networks are more vulnerable to miscellaneously malicious or unauthorized actions, the confidentiality, integrity and availability of information can't be assured. So network security is becoming increasingly important. The traditional network security techniques, which are passively defensive, such as access control, firewall and so on, can't meet the need of network security completely. The intrusion detection systems , which are active defense systems and the second defense walls in network security, integrate detection, record, alarm, response. They can not only detect intrusion from the outside networks, but also monitor the unauthorized activities from the users in the inside networks. Nowadays, intrusion detection has become a hot point domain of research in computer network securityIntrusion detection systems can be classified misuse detection systems and abnormal detection systems depending on how they analyse data. Misuse detection systems can't detect new attacks or attacks without known signatures. In recent years, intrusion detection systems based on data mining are trained using purely clean data sets without attacks,then rule sets that reflect normal behaviors are created, whether attacks exist or not can be judged according to the deviation degrees between the current behaviors and normal behavior rule sets,this method can detect new or unkown attacks,however, purely clean training data in practical network environments are difficult to obtain ,which makes its cost higher. What's more, if the data contain some intrusions buried within the training data, the algorithm may not detect future instances of these attacks because it will assume that they are normal. In contrast, intrusion detection system based on unsupervised neural networks presented in this dissertation defines normal clustering without the labeled training data.So it can detect new or unknown attack without priori knowledge.This dissertation mainly focuses on intrusion detection based on unsupervised neural networks. The aim is to enhance the effectiveness for unknown intrusion detection, three sorts of network intrusion detection algorithms and models mainly using clustering analysis are proposed which are measured by the detection rate and the false positive rate, and the corresponding computer simulation experiments are provided. The main works of this dissertation are summarized as follows: (1) The basic concepts, principles, classification and development of intrusion detection techniques and neural networks are introduced, and the classification of intrusion detection based on neural networks is analyzed. The models and its advantages of intrusion detection based on unsupervised neural networks are proposed.(2) After the introduction to the principles of Self-Organizing Feature Map (SOFM), network intrusion detection based on SOFM is presented, and the corresponding detection procedure and algorithm are designed. When KDD Cup 99 intrusion evaluation datasets are used, 41 dimension features that can reflect the relations of many data are chosen, which makes intrusion detection system detect the attacks buried within the connections of many data. Computer simulation experimental results illustrate this new algorithm has high detection rate and low false positive rate.(3) Adaptive Resonance Theory (ART) which can solve "the dilemma of stability and plasticity" is a kind of unsupervised learning algorithms, So it is suitable for stationary and dynamic environments, it is one of the ideal dynamic clustering algorithms. The dissertation presents a new intrusion detection system based on modified ART-2 neural network, which adopts new non-linear transfer function and competitive learning algorithm to solve the problem that the same phasic data with different amplitude can't be distinguished by the standard ART-2 neural network and make it more suitable for intrusion detection system. It can raise the accuracy of detection and the ability to adaptively detect unknown intrusions.(4) The Improved Fuzzy ART (IFART) algorithm, which can effectively avoid "saturation" phenomenon existing classic Fuzzy ART and reduce computational complexity, is presented. Computer network security has the feature of fuzziness, and many numerical attribute feautures included in intrusion detection may lead to "hard edge problems", which may generate false positive errors and false negative errors. To avoid the aforementioned drawbacks, the intrusion detection algorithm based on the Improved Fuzzy ART is presented. Computer simulation results illustrate that the improved algorithm can not only detect new attacks, but also it has high detection rate and low false positive rate ,which shows the improved algorithm is feasible and effective.