A Study On Clustering-Based Method For Detecting Network Intrusions With New Types

Internet has become more and more important constituent element of people’s life. And it brings security issues become much more outstanding than ever. Up till now the technologies of computer security have developed much more, thus restrain a large number unwarrantable information manipulation and information acquisiton. However the security of information is even more worrisome. Because of user’s week safety awareness or leaks of information system’s software and hardware own, opportunities that can be exploited to lawbreaker have been given. On the other side these opportunities also came from normal user’s misoperation.As the important element of information safety facilities, firewall plays a key function. However firewall is allways a passive means of defence for instrusion. Firewall can’t do a proper effect basically when facing a new and already creative instrusion. So IDS is emerges at the right moment working together with firewall from passive defense and positive defense. With the act of alarm and defense after instrusion, they make the computer information safer.However, the types of the network intrusions are changed even everyday. It will be an important issue to detect the occurrence of new types of intrusions. In traditional, intrusions are detected by some mode which is learned from old data. And the new type intrusions can not be learned from the old data. So, it can not be recognised when they come.This study proposes a clustering-based method to distinguish intrusion data from normal data first. A clustering method is unsupervised and can group data with similar characteristic into the same cluster. A new type of intrusions always has significantly different data characteristics; hence it can be detected when it cannot be assigned to any known cluster. According to the experimental results, our clustering-based method has a significant superior performance in identifying new types of intrusions than the CBUID, but its resulting false alarm rate is a little bit higher than some methods like CBUID.