Research On Model Of Distributed Intrusion Detection System Base On SOM And K-Means

As an important and active security mechanism, Intrusion Detection will reinforce the traditional system security mechanism. By doing research on the existing Intrusion Detection System (IDS), this paper put forward a multi-agents model of IDS. The communication method between agents in this model can adapt to the heterogeneous network environment. To improve the arithmetic of detection, we also introduce an improved SOM neural network, which can improve the detection rate of IDS.The model of IDS in our paper includes following agents: Sentry Agent, Analysis Agent, Response Agent and Network Agent. They are respectively responsible for data collecting, intrusion detecting, and intrusion response and managing. To make the communication between agents in the heterogeneous network environment feasible, we introduce the XML and OpenJMS to realize the communication between the agents, that is, before the agents communicate with each other, the data should be converted to a uniform format-XML, and when the agents begin to communicate, they can use the third party open source software called OpenJMS to realize that.Before detecting the collected data, we should standardize the feature of data. To solve this problem, according to the standard of KDD CUP'99, we extract 41 dimensionalities features of collected data of network, and code the features by numerical values, so the features can be proceeded by the neural network.The arithmetic of detection is an important part of IDS. This paper put forwards a new arithmetic combining SOM neural network and K-Means. Traditional SOM cannot provide us with precise clustering information, while traditional K-Means depends on the initial value seriously. To overcome the defects of the two, we combine them, use SOM to cluster the features roughly first, which can be the initial clusters of K-Means, and take K-Means to refine the clustering in the SOM stage. This arithmetic will overcome the defects of the two, and combine the advantages of the two. At last of this paper we take KDD CUP'99 data source to test the performance of this arithmetic. The experiments show that applying the improved arithmetic can obviously improve the detection rate of IDS, and correspondingly reduce the false rate.