引用本文: | 梁铁柱,李建成,王晔.一种应用聚类技术检测网络入侵的新方法.[J].国防科技大学学报,2002,24(2):59-63.[点击复制] |
LIANG Tiezhu,LI Jiancheng,WANG Ye.A Novel Clustering-Based Method to Network Intrusion Detection[J].Journal of National University of Defense Technology,2002,24(2):59-63[点击复制] |
|
|
|
本文已被:浏览 6819次 下载 6640次 |
一种应用聚类技术检测网络入侵的新方法 |
梁铁柱1,2, 李建成3, 王晔1,2 |
(1.解放军理工大学通信工程学院,江苏 南京 210016;2.总参61所,北京 100039;3.国防科技大学训练部,湖南 长沙 410073)
|
摘要: |
基于聚类技术提出了一种能处理不带标识且含异常数据样本的训练集数据的网络入侵检测方法。对网络连接数据作归一化处理后,通过比较数据样本间距离与类宽度W的关系进行数据类质心的自动搜索,并通过计算样本数据与各类质心的最小距离来对各样本数据进行类划分,同时根据各类中的样本数据动态调整类质心,使之更好地反映原始数据分布。完成样本数据的类划分后,根据正常类比例N来确定异常数据类别并用于网络连接数据的实时检测。结果表明,该方法有效地以较低的系统误警率从网络连接数据中检测出新的入侵行为,更降低了对训练数据集的要求。 |
关键词: 聚类 入侵检测 检测率 误警率 |
DOI: |
投稿日期:2001-11-27 |
基金项目:国家“九七三”重点基础研究发展规划资助(G19980305084) |
|
A Novel Clustering-Based Method to Network Intrusion Detection |
LIANG Tiezhu1,2, LI Jiancheng3, WANG Ye1,2 |
(1.School of Communication Engineering, PLA Univ. of Science and Technology, Nanjing 210016, China;2.The 61st Research Institute, General Staff, Beijing 100039, China;3.Training Department, National Univ. of Defense Technology, Changsha 410073, China)
|
Abstract: |
Researchers have developed two general categories of intrusion detection, i.e. misuse detection and anomaly detection, which differ at model construction. Signature-based misuse detection, which can detect the well-known attacks, will do nothing when new attack comes. Even traditional anomaly detection can catch some new attacks, the learning process overly relying on the training data sets which contain either purely clean normal data or correctly labeled data makes it useless in most cases. To solve such a problem, a novel clustering based method, capable of proces sing training data sets without type label and/or containing unknown intrusion data, is presented in this paper. After the normalization of network connection data, cluster centroids which is null at first can be obtained gradually and automatically through comparing the distance between data instances and the predefined cluster width , and each data instance can be then classified into the cluster which has the minimum distance with it. To ensure that the clusters can best represent the data distribution, cluster centroids also can be dynamically adjusted according to data instances contained in this cluster. With the classified data instances, the anomaly data clusters can be easily identified using normal cluster ratio , therefore performing the real-time detecting of each real network connection datum. Experiment result shows that this method can not only detect some new attacks, from network connection data sets, with low false positive rate, but also tolerate more general data sets. |
Keywords: clustering intrusion detection detection rate false positive rate |
|
|
|
|
|