Rough Set Theory Is Applied Research In The Intrusion Detection System

With the development of computer networks technologies, new attacking scenarios may result in new features of the network flow. Traditional intrusion detection systems (IDSs) have a number of drawbacks, including: 1, unsatisfactory performance, such as low detection ability of unknown network attacking, high error rate and high resource consumption; 2, too much human interaction due to insufficient analysis of attacking data; and 3, low defending ability against script attacks. Currently, data mining methods are widely applied in abnormal behavior detection and abuse detection in intrusion detection. Abnormal behavior detection and abuse detection, especially the later, requires the construction of a large amount of decision rules and/or attributes, while expert constructed rules and attributes cannot meet the requirement of applications. Moreover, most existing products and models are effective against known attach, while ineffective against unknown attacks. Therefore, certain automatic rule library and attribute library construction are the basis of IDSs with expandability and portability. Rough sets based data mining offers a set of matured methods that make it possible to find attributes relationships among data sets. Methods developed under Rough sets include attribute reduction, attribute value reduction, and decision rule synthesis. Decision rules constructed have the "IF ... THEN ..." form, which is easy to comprehend by human experts.This thesis is devoted to Rough sets based classification method applied to intrusion detection. First Rough sets basic concepts and existing intrusion detection methods are investigated, and a number of existing attribute reduction algorithm are analyzed and compared. Then a hybrid method based on information entropy, discernibility matrix, and the weight vector is proposed. Finally the performance of the proposed method is tested on part of the KDD Cup99 data sets. Experiment results show that the method proposed has high detection rate and low error rate on DoS and Probe attacks and satisfactory detection rate on U2R and R2L attacks.