Application Of Improved Clustering And Decision Tree Algorithms In Intrusion Detection

The rapid development of network technology has driven the expansion of the scope of network applications, and brings much network security issues. There has been thousands of Network attacks methods, respond to network security issues, in addition to the firewall, the more effective measures are intrusion detection systems. As a means of active defense network attacks, intrusion detection need to solve enormous challenges such as the large amount of network data, noise data, online learning, in a massive network data correctly identify attack data are also problems to be solved. Intrusion detection extract characteristics of network data from a large data set, according to the characteristics to determine the network behavior is normal behavior or intrusion behavior, intrusion detection problem is converted into data classification.This paper study the K-means clustering algorithm and the C4.5decision tree classification algorithm applied to network intrusion detection problem. K-means clustering algorithm is the unsupervised learning process to acquire knowledge in the clustering process does not require any a priori knowledge, you can find the unknown type of attack is simple, and convergence speed advantages. The decision tree belongs to the supervised learning classification methods which need to use a priori knowledge of network behavior to label the training data. That method has a higher recognition rate about the known type of attack, but do not have the ability to find unknown types. K-means clustering algorithm and the C4.5decision tree algorithm for different shortcomings of the two algorithms were improved, and improved the two algorithms are combined to establish a comprehensive intrusion detection model.The main work of this paper consists of three parts:The first part has analyzed the deficiencies of the K-means clustering algorithm and has improved the algorithm. The traditional K-means clustering algorithm is suitable for clustering data sets in the spherical structure, poor clustering results in the other shapes. An improved clustering criterion function method can reflect the similarity of the correlation between attributes Mahalanobis distance judgment sample, and the distance metric attribute weighting factor and matrix co-ordination factor improve the clustering ability of the K-means clustering algorithm on the non-spherical cluster data sets. The second part has elaborated the shortcoming of C4.5decision tree classification algorithm which in some cases will still be tendency of the multi-valued. For overcome the multi-value bias, this thesis proposes an amendment to adjust the split information value of the property, introduce the coordination factor which is related with the number of attribute values to reduce the rate of information gain of the multi-valued attribute. The improved algorithm tends to choose more taxonomic significance of the property as a split node to avoid multi-valued bias.The third part put forward the integrated intrusion detection algorithm which is based on the improved K-means clustering algorithm and the C4.5decision tree algorithm. Elaborate the thinking of integrated intrusion detection and intrusion detection system module structure. Describes the function of each module and the achieve details.Finally, selected KDD99data set to do experiment, respectively, the improved algorithm and the detection results of the original algorithm is analyzed. Through verification test data, the improved algorithm is feasible and effective.,the integrated intrusion detection is constructed on the base of the improved K-means clustering algorithm and the C4.5decision tree classification algorithm,and obtained better detection results.