Adaptive Intrusion Detection System Design And Simulation Based On Data Mining

In the context of intrusion detection,many researchers have been attracted on 'how to choose the right intrusion detection technology'.Abuse detection technology has a good detection effect for some common attacks and abnormal detection technology provides the ability to detect unknown attacks.However,during the practices,it is found that there are still some problems with these two methods that abuse detection cannot detect new attacks and abnormal detection will affect system performance.In order to solve the problems above,intrusion detection systems must not only be able to detect unknown attacks,but also dynamically select detection strategies based on changes in the environment.An adaptive method that can select intrusion detection strategies based on environmental changes is the key to solving the intrusion detection design.Therefore,this paper makes a quantitative analysis of the current situation of environmental security and the prediction of future security situation to dynamically select the security detection strategy,and use data mining for abnormal detection.The research work and major research results obtained are as follows:(1)A method for constructing an adaptive space is proposed.The adaptive space is divided into the state space and the strategy space.When constructing the state space,a simple weighting method is adopted to realize the assessment of the security situation.Then the grey theory is used to predict the future security situation value without the characteristics of sample regular distribution.The obtained prediction value is judged according to the threshold value to select the detection strategy of the strategy space,so that an adaptive selection of the intrusion detection strategy according to the environmental change is realized.This method quantifies and analyzes the potential security situation through expressions,and predicts the future security situation,which can detect some intrusions faster.(2)Apply the isolated forest algorithm to intrusion detection and use the rough set to extract key attributes to solve the problem that the algorithm does not have sufficient effect on the high-dimensional characteristics of intrusion data.The isolated forest algorithm uses the idea of"random segmentation".Since the anomaly data is far less than normal data,the anomaly data can be segmented first.Also,the algorithm does not require high memory and its linear time complexity make it is suitable for real-time detection of intrusion.The rough set attribute reduction can remove redundant attributes and retain important attributes that affect the results,which can reduce the data dimension.The combination of the two methods can identify abnormal data better and enable to detect unknown attacks.(3)Apply the spectral clustering algorithm to detect intrusion and improve the similarity matrix.And the noise data appearing in intrusion detection can be dealt with the outlier detection method based on angle sum.Spectral clustering is suitable for processing any shape of data on the axis and insensitive to the input data sequence.Therefore,it is suitable for intrusion detection.After clustering,normal/abnormal classes can be distinguished because the number of normal data classes is much larger than the number of the abnormal.