Research On Model Of Intrusion Detection Based On Combination Of FCM And C4.5 Filtering Method

With the rapid development of network technology and the continuously increase of human’s information level, people’s dependence on the network has become increasingly growing, as a result, network security issues become more and more important. As a means of active defense network attacks, intrusion detection has become a hot topic in the field of network security. However, there are still a lot of shortcomings in intrusion detection algorithm:high false positive and negative rate, difficult to detect unknown attacks and a single detection technology is difficult to detect complicated network attacks. To solve these problems, this paper will construct a comprehensive intrusion detection algorithm by combine two algorithms.Firstly, this paper provide a brief describe to the Intrusion Detection System’s structure, classification as well as trends and a detailed analysis to the data mining knowledge as well as the applications in Intrusion Detection. Through research and analysis, we can know that the intrusion detection requires large amounts of data and data mining technology is a powerful data processing tools. So, this paper put data mining technology into intrusion detection systems to deal with massive amounts of data.This thesis then focus on Fuzzy C-Means clustering algorithm (FCM) and C4.5 decision tree algorithm. We found that FCM does not require any prior knowledge in the clustering process, and have a simple process as well as convergence speed to find an unknown attack, but have a high false positives rate. While C4.5 decision tree algorithm is a supervised classification method which requires pre-labeled training data for model building, it can detect known attacks effectively, but the ability to detect unknown attacks is poor. So, we combined FCM with C4.5 to construct a dual filter intrusion detection model. The detection model is divided into two layers, the first layer can reduce large number of packets by using Fuzzy C-Means clustering algorithm to filter out the normal data and the second layer can improve the accuracy by using C4.5 decision tree algorithm. Our detection model is evaluated over the Knowledge Discovery and Data Mining (KDD’99). The experimental results show that the detection model proposed by this paper can give full play to the ability to detect unknown attacks of FCM and low false alarm rate and high detection rate of known attacks of C4.5, and overcome the low rate of FCM and the poor detection capabilities to unknown attack of C4.5.Finally, in order to adapt to changes in the network environment and user behavior, this article construct an incremental FCM-C4.5-based intrusion detection model in the last chapter. In this model, the newly generated data are sending back to the model constructed in the model update, so that the model can be constantly updated according to changes in the network environment and the user behavior. Simulation experiment is implemented over data set KDD CUP99, the experimental result showed that the incremental intrusion detection model can adapt to changes in the network environment with a high detection rate and low false alarm rate.