Network Intrusion Detection Research Based On Rough Set And Outliers Mining

With the rapid development and widly used of the internet, the security of thenetwork is growing seriously. In recent years, intrusion detection technology hasgained wide concern as one major technology in maintaining network security.However, the current intrusion detection systems also have many problems, forexample, accuracy rate of system detection is low, but the false alarm rate is alwayshigh. In addition, the system can’t detect the new attacks in real time. One of themain causes of these problems lies that current intrusion detection methods don’thave a full consideration of the uncertainty and incompleteness of intrusiondetection systems. Intrusion detection systems are facing the relatively open andcomplex network environment, so that the system has the characteristics ofuncertainty, incompleteness and other features. However, the current intrusiondetection methods assume that the raw data they handled is determinate andcomplete. And they are lack of the effective mechanism to handle the uncertain andincomplete data.In order to deal with the uncertainty and incompleteness of the intrusiondetection systems effectively, rough set theory will be used to show and process theuncertain and incomplete data of intrusion detection systems, and it will becombined with outlier mining techniques to detect intrusion. Two kinds of dataprocessing algorithm are proposed in this paper which based on rough set theory todeal with the uncertain and incomplete data of intrusion detection system: datasupplement algorithm based on relative decision entropy and weighted similarity,attribute reduction algorithm based on approximate entropy. On the bases of those two data processing algorithms, One kind of intrusion detection method are furtherproposed which based on outlier mining in order to build a new intrusion detectionmodel. The new built model can deal with the uncertain and incomplete data so thatwe can solve the existing main problems of current intrusion detection systems tosome extent.The main work of this paper includes the following aspects:(1) Propose a rough set data supplement algorithm based on relative decisionentropy and weighted similarity. For current rough set data supplement methodshave some common problems, a new definition of the weighted similarity isproposed. What’s more, the relative decision entropy is used to calculate theattribute importance. Then a rough set data supplement algorithm is designed basedon relative decision entropy and weighted similarity. The effectiveness of theproposed algorithm is verified through the experiments on real data sets.(2) Propose an attribute reduction algorithm based on approximate decisionentropy. For current attribute reduction methods based on information entropy havesome common problems, a new information entropy model named approximatedecision entropy is defined. Then a new attribute reduction algorithm is proposedbased on this approximate decision entropy. Experiments are done on multiple UCIdatasets and compared with other traditional algorithms, the result is that thealgorithm can obtain a relatively small reduction and higher classification accuracy,as well as a relatively low computational overhead.(3) Propose an intrusion detection algorithm based on outlier mining. Thetraditional outlier detection algorithm is improved based on distance and appliedinto intrusion detection. For the traditional outlier detection algorithm based ondistance can’t effectively deal with the discrete attributes, one kind of distancemetric for discrete attributes is proposed based on rough set theory. And then designthe corresponding outlier detection algorithm. The proposed intrusion detectionalgorithm is applied into intrusion detection through seeing intrusion behavior asoutliers and then a new kind of unsupervised intrusion detection method is obtained.The KDD Cup99data set is used which is widely used in network security area toverify the effectiveness of this method and compared with the traditional method,the new proposed method can have a better intrusion detection effect.