Confronted with the rapidly increasing demands for network security, the intrusion detection systems are causing more and more attention of people. Current intrusion detection systems show disadvantages on these respects such as the detection rate, real-time performance and the extensibility, and thus can hardly deal with large scale data. The algorithm of non-negative matrix factorization is good at extracting key features from large scale data, finding hidden variables from visual variables and reducing the dimension of data. So it is appropriate to process large scale of data. And therefore non-negative matrix factorization is introduced to the field of intrusion detection. A new method is provided to solve the problem of processing large scale of high dimension data in real time.Anomaly detection, which is capable to detect unknown attack, is the future direction of intrusion detection technique. The difficulty of anomaly detection is how to extract features from large amount of redundant infomation which is generated by computer system, in order to build a model that is not only full of feature but also easy to deal with. This paper starts at modeling program behaviour. Two typical methods are analysed which respectly only take use of one of the attributes of characteristics of time order and frequency. A new method of feature extraction is developed to take advantage of both methods in order to detect intrusions more accurately.The reason why the method of data preprocessing does work relys on the power of the algorithm of non-negative matrix factorization to process large scale of data. The rationale of non-negative matrix factorization is explained. And the instance of application on the facial image recognization is discussed to state that this algorithm has the great capability of feature extraction and dimension reduce, and is especially appropriate to process large scale of data. The feasibility to apply the algorithm of non-negative matrix factorization on intrusion detection is demonstrated. And a model of intrusion detection system is designed based on this theory. In this model, the problem of intrusion detection is converted to outlier detection of vectors. The advantage of dimension reduce of non-negative matrix factorization is taken to extract features and compact data. Points in high dimension space are projected to low dimension space, and the problem becomes the outlier detection in the low dimension space. Preliminary experiments are done and the results are reported. |