| Intrusion detection system, which can solve problems that the traditional protection mechanism system cannot solve, is the main component of the computer security architecture, and has become an important part of the computer security research. The combination of data mining and intrusion detecting enables the intrusion detection system to have the ability of self-study and to have a better dealing with a vast amount of data as well as to enhance the detecting ability and lighten security managers' work. The combination is practical and conforms to the trend of the development of intrusion detection system. Clustering is a typical unsupervised learning technique that can build intrusion detection model and detect anomaly records in unlabeled dataset. Therefore clustering has practical meaning in anomaly detection field and is of great value in promoting intrusion detection system.This paper analyses clustering method in data mining aiming at intrusion detection, and put forward a dynamic incremental clustering approach. Based on the analysis of existing intrusion detection system, it puts forward an anomaly detection model AMIDS which is a clustering-based, real-time system. There are two main stages in our approach to mining intrusions. During the training phase, it applies the dynamic incremental clustering approach to create profiles for the normal behavior of true users from the corresponding history audit data. And in the testing phase, the current users' command data is verified against the corresponding profile to determine whether the current user is the true user. The intrusion detection system built by traditional methods has disadvantage in building speed and will cost much to renew, further more it can hardly meet the requirement of validity, self-applicability and real time. AMIDS analyses and deals with true users' command data through clustering technology to improve user profiles' agility and validity;it renews the users' profiles dynamically to assure its self-adaptability;it captures the current user' real-time command and judges intrusion behaviors by similarity comparison to satisfy the real-time requirement. |
PDF Full Text Request