Research Of Intrusion Detection Algorithm Based On Clustering Analysis

With the rapid development of Internet technology, higher requirements have been made for computer intrusion detection system in the aspect of expansibility, accuracy and so forth. It requires the integration of both intrusion detection and data mining technology. By using mathematical models to analyze large amounts of data extracted from intrusion behavior and normal behavior, the intrusion detection process will be transformed into data mining process, therefore the manual intervention will be significantly reduced and the performance of intrusion detection will be improved. As a significant research area in the field of data mining, clustering analysis can extract regular patterns and valuable information from intrusion detection data.The main research work of this thesis is as follows:Firstly, the advantages and disadvantages of different clustering algorithm is presented through comparative analysis, after that the requirements of clustering algorithm is presented when applied to intrusion detection system according to the characteristics of the intrusion detection KDD CUP99 data.Secondly, based on the previous work, DBSCAN algorithm is chosen because of its advantages when applied to intrusion detection. Due to the problems met when DBSCAN algorithm is applied to the area of intrusion detection, the concept of grid and data layer are introduced to reduce the computational work and memory consumption. After that, the concept of connection points is introduced to improve the performance of the algorithm. Eventually, the optimized GPDBSCAN-CP algorithm is proposed, and it is proved to have a better performance than the original DBSCAN algorithm through comparative simulation, in which case it will improve the performance of intrusion detection.Thirdly, an algorithm named GDClustream which is based on both density and grid is proposed according to the characteristics of intrusion detection data stream. GDClustream has a two-layer framework which is based on the classic Clustream algorithm. The online layer mainly optimizes the calculation method of grid density according the DENCLUE algorithm and the density attenuation strategy according to the Dstream algorithm. An optimized algorithm named DBSCAN-G is introduced to the offline layer in order to increase the efficiency of clustering. Through comparative simulation GDClustream is proved to have a better performance than both Denstream and Dstream algorithm, and GDClustream algorithm can meet the requirement of real-time.Lastly, based on the third work, an intrusion detection model based on GDClustream and SNORT is constructed. Then the evaluation index, namely average clustering purity, which is proposed by Denstream algorithm, is analyzed and optimized. After that GDClustream is proved to have a better performance than both Denstream and Dstream algorithm through comparative simulation in the aspect of clustering quality.