A Robust Feature Normalization Scheme and an Optimized Clustering Method for Anomaly-Based Intrusion Detection System

摘要

Intrusion detection system(IDS) has played a central role as an appliance to effectively defend our crucial computer systems or networks against attackers on the Internet. Traditional IDSs employ signature-based methods or anomaly-based methods which rely on labeled training data. However, they have several problems, for example, it consumes huge amounts of cost and time to acquire the labeled training data, and they often experienced difficulty in detecting new types of attack. In order to cope with the problems, many researchers have proposed various kinds of algorithms for several years. Although they do not require labeled data for training and have the capability to detect unforeseen attacks, they are based on the assumption that the ratio of attack to normal is extremely small. However, the assumption may not be satisfied in a realistic situation because some attacks, most notably the denial-of-service attacks, consist of a large number of simultaneous connections. Consequently if the assumption fails, the performance of the algorithm will deteriorate. In this paper, we present a new normalization and clustering method that can overcome a limitation on the attack ratio of the training data. We evaluated our method using KDD Cup 1999 data set. Evaluation results show that performance of our approach is constant irrespective of an increase in the attack ratio.