Abstract:Researchers have developed two general categories of intrusion detection, i.e. misuse detection and anomaly detection, which differ at model construction. Signature-based misuse detection, which can detect the well-known attacks, will do nothing when new attack comes. Even traditional anomaly detection can catch some new attacks, the learning process overly relying on the training data sets which contain either purely clean normal data or correctly labeled data makes it useless in most cases. To solve such a problem, a novel clustering based method, capable of proces sing training data sets without type label and/or containing unknown intrusion data, is presented in this paper. After the normalization of network connection data, cluster centroids which is null at first can be obtained gradually and automatically through comparing the distance between data instances and the predefined cluster width , and each data instance can be then classified into the cluster which has the minimum distance with it. To ensure that the clusters can best represent the data distribution, cluster centroids also can be dynamically adjusted according to data instances contained in this cluster. With the classified data instances, the anomaly data clusters can be easily identified using normal cluster ratio , therefore performing the real-time detecting of each real network connection datum. Experiment result shows that this method can not only detect some new attacks, from network connection data sets, with low false positive rate, but also tolerate more general data sets.