Clustering-based Anomaly Detection Technology

With the rapid development of Internet, network is affecting the politics, economy, culture, military, life and so on. Due to people's dependence on network, security issues become more and more severe. As a proactive information security technology, intrusion detection provides real-time protection from the internal and external attacks as well as misoperation. It can intercept and response intrusive behaviors before attacks destroy the network. In recent years, great achievements have been made in intrusion detection technology. Many approaches related to anomaly detection have been proposed, such as statistical based anomaly detection technology, machine learning based anomaly detection technology, data mining based anomaly detection technology. But there is still space to improve the performance in the future.In order to reduce false positives and extend detection range, a clustering based unsupervised anomaly detection technique is proposed in this thesis. An improved hybrid IDS framework is put forword from the angle of enhancing the property of real time, improving the property of self-adaptability, increasing detection. The expectation is to make contribution to impel the development of this domain.The content of this thesis mainly includes the following aspects:1. It introduces the related concept of intrusion detection, including architecture, misuse detection and anomaly detection, then analyses present situation at home and abroad.2. It introduces and classifies the existing anomaly detection. Then it analyses in detail strongpoints and shortcoming of each type of anomaly detection technology. Then it summarizes the shortage of existing anomaly detection technology.3. It puts forward an unsupervised anomaly detection model based on clustering. It chooses clustering result from multi-clusters which has the minimum DB index, applies minimum intra-cluster distance and maximum intra-cluster distance to classify every cluster, then identifies attacks. Experimental results show that the proposed strategy can improve obviously detection rate and decrease false positive rate. 4. It puts forward an improved hybrid IDS framework. Then it analyses some key technologies of the system, including data packet's sniffer, protocols anlysis, anomaly detection, rule's format and generating mechanism. It provides thoughts for designing hybrid IDS.