Research And Implementation Of Network Anomaly Detection Based On Clustering

With the development of information technology, people are increasingly aware of the importance of network and data security, and any network intrusion and attacks are likely to cause serious disaster.Therefore, the development of intrusion detection system to reduce the impact of attack traffic is the current trend. The traditional feature detection which detection rate is high, but can't detect unknown attacks.In contrast, anomaly detection can detect unknown attacks, but the detection rate is relatively low, and most of the data which are marked to train, so can't guarantee that the mark of the data set is accuracy.With increasing in attacks and the new security challenges, The lower accuracy of anomaly detection method based on cluster analysis network traffic is a big question, (1) In this thesis, we proposed a hybrid anomaly detection method by combining the Particle Swarm Optimization(PSO) and K-means clustering algorithms to improve the accuracy. The network traffic anomaly detection method used an unlabeled data set to train. By pre-processing the characteristic data of the traffic, extracting the characteristics of each attack category, and then use parallel PSO calculation, to find the best or approximate optimal clustering initial point. Finally, we perform the K-means clustering algorithm. By using the KDD CUP 99 data set, Experiment results show the effectiveness of the proposed optimization scheme. (2) then used the method of distance and density to analyze the outliers that can not easily be judged, the sets obtained by the two analysis methods combined with fuzzy set theory, the abnormal detection results were divided into normal,low-risk, high-risk and abnormal, excessive value was added between normal and abnormal. The validity of the proposed optimization scheme was verified in the experiment. (3) we designed and implemented this anomaly detection system, which was divided into two stages:preprocessing and detection. In the process of traffic preprocessing, we add the module of flow control to attack the detection system. Test shows that the system can detect abnormal flow, the system flow control can also intercept a certain degree of attack on the detection system itself.