一种应用聚类技术检测网络入侵的新方法

A Novel Clustering-Based Method to Network Intrusion Detection

基于聚类技术提出了一种能处理不带标识且含异常数据样本的训练集数据的网络入侵检测方法。对网络连接数据作归一化处理后 ,通过比较数据样本间距离与类宽度W的关系进行数据类质心的自动搜索 ,并通过计算样本数据与各类质心的最小距离来对各样本数据进行类划分 ,同时根据各类中的样本数据动态调整类质心 ,使之更好地反映原始数据分布。完成样本数据的类划分后 ,根据正常类比例N来确定异常数据类别并用于网络连接数据的实时检测。结果表明 ,该方法有效地以较低的系统误警率从网络连接数据中检测出新的入侵行为 ,更降低了对训练数据集的要求。

Researchers have developed two general categories of intrusion detection, i.e. misuse detection and anomaly detection, which differ at model construction. Signature based misuse detection, which can detect the well known attacks, will do nothing when new attack comes. Even traditional anomaly detection can catch some new attacks, the learning process overly relying on the training data sets which contain either purely clean normal data or correctly labeled data makes it useless in most cases. To solve such a problem, a novel clustering based method, capable of proces sing training data sets without type label and/or containing unknown intrusion data, is presented in this paper. After the normalization of network connection data, cluster centroids which is null at first can be obtained gradually and automatically through comparing the distance between data instances and the predefined cluster width , and each data instance can be then classified into the cluster which has the minimum distance with it. To ensure that the clusters can best represent the data distribution, cluster centroids also can be dynamically adjusted according to data instances contained in this cluster. With the classified data instances, the anomaly data clusters can be easily identified using normal cluster ratio , therefore performing the real-time detecting of each real network connection datum. Experiment result shows that this method can not only detect some new attacks, from network connection data sets, with low false positive rate, but also tolerate more general data sets.