Research On Intrusion Detection Models And Methods Based On Clustering

With the fast development of the network technologies and continuous extension of the network application scale, various network attacks increase day by day. Considering the currently severe network security problem, how to discover and find all kinds of the intrusions rapidly and effectively becomes very important for ensuring the security of systems and network recourses. These traditional static protection methods such as firewall and data encryption are difficult to satisfy the need of network security, but since the intrusion detection technology is a kind of active and initiative security protection technology and it is an important part of information security protection system structure, then the study and research on the intrusion detection technologies has attracted more and more attention.Through the study of the process and characteristics of the intrusion behaviors, the intrusion detection technologies can tell the security system to make real-time response to any intrusions and the process. Usually there are two kinds of detection methods, misuse intrusion detection and anomaly intrusion detection. the misuse intrusion detection uses known attack methods based on defined intrusion profiles to judge whether there is any these defined intrusion profiles in the intrusions. The advantage of misuse intrusion detection is that any known intrusion behaviors can be detected precisely; while the disadvantage is unknown intrusion behaviors cannot be detected. However, in the method of anomaly intrusion detction, all intrusion behaviors are supposed to be different from normal behaviors, so if normal behaviors are established, theoretically, all different behaviors are considered to be suspicious. Data mining technology can be used for characteristic construction and detection, and cluster analysis is one hot research field in data mining, which can analyze a great volume of data to classify objects automatically, and is suitable for exceptional intrusion detection.To make up the disadvantage of known detection methods, this article focuses on how to apply cluster technology in intrusion detection field and the major contribution includes:(1) Research deeply on the theories about intrusion detection and clustering.(2) Based on the Centroidal Voronoi Diagram, a new algorithm of anomaly detection is proposed in this paper, in which, the Centroidal Voronoi Diagram is applied in the clustering of sample data first, and then, the point density is computed out according to the results of clustering for each sample point, which is used to determine that whether the sample data is abnormal or not. Finally, a series of experiments on well known KDD Cup 1999 dataset demonstrate that our new algorithm has low false positive rate while ensuring high detection rate.