Intrusion Detection Based On Clustering And Support Vector Machines

With the rapid development of computer and communication technologies, thus making computer security more and more remarkable and complicated. So the intrusion detection technology is the essential means to guarantee the security of the current computer system. Based on the research background stated above, network intrusion detection technology is researched. The algorithms that we present in this thesis can judge which points are in a sparse region of the feature space.The first algorithm is the fuzzy c-means clustering-based intrusion detection algorithmal. We have designed a kind of new distance definition, and use it for in clustering algorithm, make the algorithm able to process the heterogeneous network data. Though the detection rate is not very high, but as a result of the low time complexity for training and detection of clustering algorithm, we can use it for the assistant algorithm of the support vector machine algorithm. Because SMO algorithm cannot deal with symbolic data too, so we construct a new kernel function based on distance, and the heterogeneous data can be mapped into a higher dimensional feature space through this new kernel function. Then through looking for a sphere with minimal volume containing the target data, we can distinguish the abnormal data from the normal data.The second algorithm we improve the fuzzy c-means clustering algorithm and obtain different SMO according to different types of network connection protocols. The basic idea of this algorithm is to decide whether to utilize SMO classifier or not by comparing the distances between the network packets and the cluster centers produced by clustering algorithm. Therefore, only those data hard to classify for clustering algorithm are sent to SMO, which reduces the number of packets going through SMO, increases the detection speed of the algorithm and exerts SMO algorithm to classify accurately as well.Finally, however, due to the lack of good methods in choosing parameters, we could only use trial-and-effort method. Future work is to find a method which can let the algorithm confirm two parameters itself.