Intrusion Detection Algorithm Based On Fuzzy Clustering

Computer network security is an ever-lasting topic for the research of network technologies. Intrusion detection (ID) is one of the important means for ensuring secure running of a network. Through examining some related auditing data, ID can thus determine whether there exists in the network any behavior that is against some pre-defined security policy or is threatening a computer system's security. However, with the development of network technologies and the expansion of network scales, truth is that there will be more and more intrusion opportunities. If one cannot detect any type of intrusion behavior efficiently and effectively, then ensuring the security of a network system and its resources will get greatly limited.Combining fuzzy-c-means (FCM) clustering algorithms with ID technologies, as a typical method to conduct unsupervised learning, can construct an ID model directly on an unlabelled dataset or find out abnormal data, hence can improve the ID system's capability for processing a large amount of data, and can also increase the ID system's detection efficiency. As a result, applying FCM clustering in ID is promising because such a method is highly practical and meets the trend of the future ID system.Beginning with the ID model based on fuzzy clustering, this thesis states out the existing weaknesses of FCM clustering in this research area, and summarizes research works on modified fuzzy clustering from the perspectives of modifying measurement of distance, modifying membership constraints, and constraining class centers. Then, the thesis puts an emphasis on discussing the problem of hybrid types of attributes in a dataset given for anomaly detection. The experiments in the thesis are mainly based on the KDDCUP99 dataset which is often used when people conduct researches on ID. Contributions of the thesis can be summarized as follows:1) The thesis gives a detailed analysis of the experiment dataset, and adopts some pre-processing operations on the dataset.2) Different from the original FCM clustering algorithm, the thesis distinguishes between the given data with hybrid types of attributes, proposes a modified algorithm for coping with such hybrid types of attributes based on previous research works, and then analyzes the cases when the fuzziness parameter m takes different values and the distance parameter a for two unequal attributes of discrete type takes different values.3) The proposed modified FCM clustering algorithm, nonetheless, is still weak in that it is sensitive to initialization and it can easily get trapped in some local optimum. Therefore, by applying Guo-Tao algorithm which is often used for global optimization, and introducing crossover probability p, the thesis proposes a further improvement.Experiments'results of the proposed global optimization algorithm show that: the algorithm can well resolve sensitiveness to initialization, its performance is stable, it has good robustness, it can increase the convergence speed, and it can also increase the average detection rate, thereby it demonstrates the highlighted advantages of applying improved FCM clustering in anomaly detection in a straightforward way.