Research On Intrusion Detection With Radius Adjustable Covering Clustering Algorithm

With great development and extensive applications of computer network technologies, especially the worldwide spread of Internet, technologies of computer and Internet are continuously innovated and upgraded. With the increase of information-based level and enhancement of dependence on computer networks for human society, more and more network systems are exposing to threat of attacks and intrusions. Following traditional safeguard measures such as firewall and data encryption, intrusion detection is a more effective kind of security technology and used to detect and response to malicious acts damaged to target systems and resources.Nowadays, most intrusion detection methods train IDS models using labeled datasets, nevertheless, labeled data is not prepared enough in advance. While labeling collected data manually, that will be very time-consuming and energy-consuming because of the gigantic amount of datasets. However, intrusion detection methods based on clustering which use unlabeled datasets as input and then detect intrusion data, eliminate the inconvenience of labeling data manually. Comparing with traditional detection methods, it has advantage in application to a certain extent.Advantages and disadvantages of traditional clustering methods are analyzed in detail. Meanwhile, in order to enhance the effectiveness for anomaly attacks, radius adjustable covering clustering algorithm (RACCA) is put forward and applied into intrusion detection. This algorithm is measured by detection rate and false alarm rate and proved its effectivity in detecting anomaly attacks by conducting computer simulation experiments.There are four aspects of our main research work.Firstly, under analyzing intrusion detection and clustering methods, measures of resolving intrusion detection based on clustering are discussed. Because anomaly samples could be found from unlabeled dataset by clustering, it is used to label the dataset so that data mining methods such as association rules, sequence rules and classification could mine the patterns from this labeled dataset to update rule set; Also clustering could be directly used to train detection model on unlabeled dataset to implement the real-time intrusion detection.Secondly, the covering clustering algorithm (CCA) which has two characteristics of no-selecting initial value and clustering speediness is applied to intrusion detection, and efficiency RACCA is proposed 1:0 reduce the false alarm rate of CCA. There are two improved points: on the one hand, two adjustable parameters are joined so as to change covering radius; on the other hand, sample point which is nearest to center of gravity of all the overplus samples is chosen as the next covering center.Thirdly, the performance of RACCA is evaluated in virtue of KDD Cup 99 data sets. The experiment result shows clearly that the false alarm rate of RACCA is lower than that of CCA.Finally, the important attribute set was constructed by repeating experimenting to reduce the attributes. The evaluation result of intrusion detection based on RACCA using the important attribute set shows that detection rate is higher and false alarm rate is lower.