| With the severity of the network security problem, how to use the data mining-based intrusion detection system to find intrusion activities efficiently and quickly has become important to the security of system and network resourse. Traditional data mining techologies used in data mining need to build intrusion detection model in labled data set. The process to lable data set is all by hands, and if the lables have some errors, the efficiency of the intrusion detection system will be affected. Unsupervised anomaly detection methods can detect the anomaly records in unlabled dataset. It can overcome the shortcoming of the traditional data mining methods, and automate the labeling and creating process of the intrusion detection model. It has become the useful tool of the intrusion detection. Clustering is the representation of unsupervised anomaly detection methods.In order to improve the effciency of the clustering algorithm used in intrusion detection and make it to deal with the large scale of data set in intrusion detection efficienly, a clustering algorithm named KnnCT is devised. The algorithm includes two steps. Firstly, a clustering algorithm is used in order to cluster the data set according to the clutering width, and the clusters are then sorted according to the number of the records they include. The records in the clusters which contain less records are used to build the candidate set of the anmaly records. Secondly, we use the k-nearest neighbors algorithm to find the anomaly records in the candidate set. By using the threshold and reading in block technologies, the computing process of the sum of most normal records and their k nearest neighbors is obviated. The threshold is defined as the minimum sum of the current anmaly records and their k nearest neighbors.The algorithm can be used in automating the process of creating training and testing data set for other data mining algorithms. It can also be used in analyzing data, building intrusion detection system model and detecting intrusion in time. Through the experiments in the KDD Cup 1999 dataset, the algorithm has been validated in the improvement on executing time and detecting efficiency. It can be applied in the intrusion detection system efficiently.
|
PDF Full Text Request