LIN Hui,ZHU Jun-ping

2009-01-01

Abstract:On the base of discussing the basic concepts and characters of clone clustering, the advantage of IDS is explored based on clone clustering. According to the medium and small enterprise actual demand, the clone clustering algorithm is mainly presented, the intrusion detection system CCIDS (clone clustering based intrusion detection system) based on CC algorithm is designed and imple-mented. the experimental results using KDD CUP99 dataset show that this algorithm can achieve higher detection rate of known or unknown attacks and lower false positive rate.

ZHONG Jiang,WU Kai-Gui,WU Zhong-Fu,LI Ji,OU Ling

2005-01-01

Computer Science

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and somethaes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Immune Clustering algorithm, is proposed. It can automatically establish clusters and detect intruders by compute the outlier factor of each data item. Computer simulations show that this algorithm is effective for intrusion detection.

ZHONG Jiang,FENG Yong,LI Zhi-guo,YE Chun-xiao

DOI: https://doi.org/10.3969/j.issn.1000-582x.2007.07.024

2007-01-01

Abstract:The distribution properties of the normally data and anomaly data in the network connectivity features have huge differences;therefore,there exist the low rate of detection and false positive rate problem for the traditional classifier which is applied to the network intrusion detection.An adaptive classifier based on the artificial immune cluster is presented.The new classifier adopts multi-granularities idea and it effectively eliminates the inconsistency between the classification algorithm and the clustering algorithm.Through the classification of the data sets in real variety of network intrusion data sets,experimental results show that the classifier has high detection rate and low false positive rate;it has better classification performance and generalization ability than RBF and BP classifiers.

Liu Fang,Qu Bo,Chen Rongsheng

DOI: https://doi.org/10.1007/978-3-540-30549-1_127

2004-01-01

Abstract:Immune clone selection algorithm is a new intelligent algorithm which can effectively overcome the prematurity and slow convergence speed of traditional evolution algorithm because of the clonal selection strategy and clonal mutation strategy. We apply the immune clonal selection algorithm to the process of modeling normal behavior. We compare our algorithm with the algorithm which applies the genetic algorithm to intrusion detection and applies the negative selection algorithm of the artificial immune system to intrusion detection in the dataset kddcup99. The experiment results have shown that the rule set obtained by our algorithm can detect unknown attack behavior effectively and have higher detection rate and lower false positive rate.

Cheng Zhong,Na Li

DOI: https://doi.org/10.1109/paciia.2008.256

2008-01-01

Abstract:A computing cluster radius method is given, and the data is partitioned into initial clusters by comparing the distance from data to cluster centroid with the size of cluster radius. To implement clustering analysis about data with mixed attributes, namely numerical attributes and categorical attributes, the definitions of distance measure and objective function are improved. By applying clonal selection algorithm to optimize the clustering results, the problems such as computing dissimilarity for data with mixed attributes and finally unknown cluster number and easy to fall into local optimization are solved, and better clustering results are obtained. The experiment results show that the presented incremental clustering algorithm for intrusion detection can achieve high detection rate and low false positive rate.

Guowei Wu,Lin Yao,Kai Yao

DOI: https://doi.org/10.1109/ICIA.2006.305969

2007-01-01

Abstract:In this paper, we introduce an adaptive clustering algorithm for intrusion detection based on wavecluster which was introduced by Gholamhosein in 1999 and used with success in image processing. Because of the non-stationary characteristic of network traffic, we extend and develop an adaptive wavecluster algorithm for intrusion detection. Using the multiresolution property of wavelet transforms, we can effectively identify arbitrarily shaped clusters at different scales and degrees of detail, moreover, applying wavelet transform removes the noise from the original feature space and make more accurate cluster found. Experimental results on KDD-99 intrusion detection dataset show the efficiency and accuracy of this algorithm. A detection rate above 96% and a false alarm rate below 3% are achieved. The time complexity of the adaptive wavecluster algorithm is O(N) ,which is comparatively low than other algorithm

CHENG Meng-ju,ZHAO Long,TAO Hong-bo,ZHAO Cheng-lin

DOI: https://doi.org/10.3969/j.issn.1003-3106.2013.11.002

2013-01-01

Radio Engineering

Abstract:In order to address the issue in intrusion detection approaches based on unsupervised clustering that clustering centers and number have to be pre-defined,this paper proposes an intrusion detection approach based on affinity propagation clustering. This approach regards each data point as potential clustering center to equally and automatically determine final clustering centers and number by updating messages exchanged between data points,and can obtain accurate clustering result. The proposed approach is proved to be feasible by the experiment implemented on KDD CUP99 dataset,and the result of experiment shows that this approach can effectively improve detection rate comparing to traditional clustering approaches.

YG Liu,KF Chen,XF Liao,W Zhang

DOI: https://doi.org/10.1016/j.patcog.2003.09.011

IF: 8

2004-01-01

Pattern Recognition

Abstract:Traditional intrusion detection methods lack extensibility in face of changing network configurations as well as adaptability in face of unknown attack types. Meanwhile, current machine-learning algorithms need labeled data for training first, so they are computational expensive and sometimes misled by artificial data. In this paper, a new detection algorithm, the Intrusion Detection Based on Genetic Clustering (IDBGC) algorithm, is proposed. It can automatically establish clusters and detect intruders by labeling normal and abnormal groups. Computer simulations show that this algorithm is effective for intrusion detection.

Liang Hu,Wei-wu Ren,Fei Ren

DOI: https://doi.org/10.1109/icise.2009.225

2009-01-01

Abstract:Traditional anomaly detection methods lack adaptive captivity in complex and heterogeneous network. Especially while facing high noise environments or the situation of updating profiles not in time, intrusion detection systems will have high false alarm rate. In this paper, a new anomaly detection algorithm based on hierarchical clustering, called ADBHC, is proposed. ADBHC generates clusters using density-based partitioning method which has less computational cost. It uses the improved hierarchical clustering tree to implement fast scalable and adaptive anomaly detection. The improved hierarchical clustering tree supports updating profiles at any time. We extend the clustering algorithm and apply branch and bound mechanism for filtering noise. With the help of two advantages: filtering noise and updating profiles at any time, our algorithm is effective enough to meet adaptive requirements. A series of experiment results on well known KDD Cup 1999 dataset indicate that ADBHC has low false alarm rate, high detection rate and a certain adaptive captivity in the progress of self-updating.

Li Liu,Pengyuan Wan,Yingmei Wang,Songtao Liu

DOI: https://doi.org/10.11591/telkomnika.v12i1.3353

2014-01-01

Abstract:Ad hoc networks face serious security threat due to its inherent weaknesses. Intrusion detection is crucial technology in protecting the security of Ad hoc networks. Recently, Intrusion Detection Systems (IDS) face open issues, such as how to make use of intrusion detection technologies to excavate normal/abnormal behaviors from a lot of initialized data and dig out invasion models later for intrusion detection automatically and effectively. In this paper, we propose an enhanced algorithm combined improved clustering algorithm with Hybrid Genetic Algorithm (HGA), called Enhanced Intrusion Detection Algorithm (EIDA) for intrusion detection in Ad hoc networks. Clustering Algorithm is used to divide the normal/anomalous data from network and system behaviors. Then HGA is used to dig out the invasion rules. Our EIDA is an unsupervised anomaly detection algorithm. The experiment result shows that it is extensible and not sensitive to the sequence of the input data sets. It has the capacity to deal with different types of data and detection rate and false positive rate of intrusion detection has been improved effectively. DOI : http://dx.doi.org/10.11591/telkomnika.v12i1.3353

Hongwei Gao,Dingju Zhu,Xiaomin Wang

DOI: https://doi.org/10.1109/DCABES.2010.98

2010-01-01

Abstract:Clustering analysis is a common unsupervised anomaly detection method, and often used in Intrusion Detection System (IDS), which is an important component in the network security. The single cluster algorithm is difficult to get the great effective detection, and then a new cluster algorithm based on evidence accumulation is born. The IDS with clustering ensemble has a low false positive rate and high detection rate, however, the IDS is slow to detect the mass data stream, and it can not detect the attacks in time. This paper presents a parallel clustering ensemble algorithm to improve the speed and the effective of the system. Finally, the KDDCUP99 data set is used to test the system show that the IDS have greatly improvement in time and efficiency.

HU Liang,REN Wei-wu,REN Fei,LIU Xiao-bo,JIN Gang

DOI: https://doi.org/10.3321/j.issn:1671-5489.2009.05.021

2009-01-01

Abstract:This paper proposes an Anomaly Detection algorithm based on Improved Density Clustering(ADIDC).The improved algorithm adopts clustering features separately on individual characteristic arranges and weighting features by the correlativity between the features and the normal profile.It can solve the frequent problem of the high false positive rate on clustering in the application of anomaly detection.A series of experiments on well known KDD Cup 1999 dataset demonstrates that it has a lower false positive rate,especially ensuring high detection rate with respect to the traditional anomaly detection methods.The detection of the special attack which resembles the normal act is obviously improved.In addtion,the detection performace can be further optimized by feature selection via feature weights.It makes the proposed algorithm more suitable for the real-time detection.

Tieshan Zhao,Zengzhi Li,Zemin Wang,Xiaofen Lin

DOI: https://doi.org/10.1109/isda.2006.253760

2006-01-01

Abstract:Intrusion detection systems' adaptability and diversity have been researched for long time. With the development of computer immunology, the dynamic clonal selection algorithm is tried to solve the problem. Based on some improved dynamic clonal selection algorithms, an adaptive intrusion detection algorithm is presented in this paper. According to the algorithm, an intrusion detection system is composed of a self-body antigen set, a memorial immunocyte set, a mature immunocyte set and an immature immunocyte set. An immature immunocyte grows into a mature one if it goes through self-tolerance. A mature immunocyte grows into a memorial one if it matches enough non-self-body antigens in limited time and it goes through co-stimulation. A memorial immunocyte doesn't die until it can't go through co-stimulation. Immature immunocytes are generated with clone and hypermutation methods when necessary. The self-body antigen set is renewed during above co-stimulation. Simulation experiments prove that the algorithm have good adaptability and diversity

Yong Feng,Jiang Zhong,Chun-Xiao Ye,Zhong-Yang Xiong,Zhong-Fu Wu

2006-01-01

Abstract:Due to the fact that it is more and more improbable to a system administrator to recognize and manually intervene to stop an attack, there is an increasing recognition that ID systems should have a lot to earn on following its basic principles on the behavior of complex natural systems, namely in what refers to self-organization, allowing for a real distributed and collective perception of this phenomena. A clustering model based on Self-Organizing Ant Colony Networks (CSOACN) is systematically proposed for intrusion detection system. The basic idea of CSOACN is to produce the cluster by our enhanced ant colony clustering algorithm. With the classified data instances, the detection classifier can be established. And then the detection classifier can be used in real intrusion detection. Instead of using the linear segmentation function of the CSI model and the complex probability conversion function of the LF model, here we propose to use a simple nonlinear probability conversion function in our enhanced ant colony clustering and can help to solve linearly inseparable problems of CSI and slow convergence speed of LF. Using a set of benchmark data from 1998 DARPA, we demonstrate that the efficiency and accuracy of CSOACN-based classifier.

HU Yan-wei,QIN Zheng,ZHANG Zhong-zhi

2010-01-01

Computer Science

Abstract:Intrusion detection algorithms based on K-mean clustering have sensitive dependence on initial value and are easy to fall into local extremum.To solve this issue,a new intrusion detection scheme was presented by combing Simulated Annealing and K-mean clustering.The proposed algorithm uses SA to optimize the clustering pattern in the clustering analysis.It can achieve global optimization and better accuracy of the intrusion detection system.Moreover,parallelism of SA greatly quickened the convergence rate.Experiments were completed on KDD Cup 1999,and the results show that presented scheme has lower time consume,false positive rate,and false negative rate compared with intrusion detection systems based on K-mean clustering.

Li MA,Li-cheng JIAO,Lin BAI,Chang-guo CHEN

DOI: https://doi.org/10.1016/s1005-8885(08)60117-x

2008-01-01

Abstract:Being characteristic of non-teacher learning, self-organization, memory, and noise resistance, the artificial immune system is a research focus in the field of intelligent information processing. Based on the basic principles of organism immune and clonal selection, this article presents a polyclonal clustering algorithm characteristic of self-adaptation. According to the core idea of the algorithm, various immune operators in the artificial immune system are employed in the clustering process; moreover, clustering numbers are adjusted in accordance with the affinity function. Introduction of the recombination operator can effectively enhance the diversity of the individual antibody in a generation population, so that the searching scope for solutions is enlarged and the premature phenomenon of the algorithm is avoided. Besides, introduction of the inconsistent mutation operator enhances the adaptability and optimizes the performance of local solution seeking. Meanwhile, the convergence of the algorithm is accelerated. In addition, the article also proves the convergence of the algorithm by employing the Markov chain. Results of the data simulation experiment show that the algorithm is capable of obtaining reasonable and effective cluster.

Y Feng,KG Wu,ZF Wu,J Zhong,H Li

DOI: https://doi.org/10.1142/9789812701534_0110

2005-01-01

Abstract:A clustering algorithm based on swarm intelligence is systematically proposed for anomaly intrusion detection. The basic idea of our approach is to produce the cluster by swarm intelligence-based clustering. Instead of using the linear segmentation function of the CSI model, here we propose to use a nonlinear probability conversion function and can help to solve linearly inseparable problems. With the classified data instances, anomaly data clusters can be easily identified by normal cluster ratio. And then the identified cluster can be used in real data detection. In the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. Our approach can settle these problems effectively. The experiment result shows that out approach can detect unknown intrusions efficiently in the real network connections.

Xuekun Zhang,Jing An,Yongbin Wang,Wen Liu

DOI: https://doi.org/10.1109/icis.2017.7960066

2017-01-01

Abstract:At present, most of the key algorithms of the existing intrusion detection system adopt simple matching technology, only detect the known attack and the false positive and false negative rate is high. The immune cloning algorithm is a search algorithm for iterative process with generating and detecting. In the iterative process, immune cloning algorithm, under the premise of reserving the best individuals of the previous generation, is a global convergence[1]. After further research and improvement based on the operation mechanism and principle of the immune-based intrusion detection system, immune cloning algorithm is applied to the intrusion detection system, which has a very important significance in improving the emergency response capability of the network security system, mitigating the harm of the network attack and enhancing the system's capacity to fight back and so on. This paper, the immune cloning algorithm is used to optimize the detection of the intrusion detection system, use MATLAB software to carry out simulation and obtain the result analysis, and compare with the performance difference of the detector before and after the improvement according to the simulation results.

Noe Elisa,Longzhi Yang,Yanpeng Qu,Fei Chao

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00254

2018-01-01

Abstract:The most daunting and challenging task in intrusion detection is to distinguishing between normal and malicious traffics effectively. In order to complete such a task, the biological danger theory has appeared to be one of the most appealing immunological models which has been converted to a computer science algorithm, named as Dendritic Cell Algorithm (DCA). To perform a binary classification, the DCA goes through four phases, preprocessing, detection, context assessment and classification. In particular, the context assessment phase is performed by comparing the signal concentration values between mature (i.e., abnormality) and semi-mature (i.e., normality) contexts. The conventional DCA requires a crisp separation between semi-mature and mature cumulative context values. This can be hard if the difference between the two contexts is marginal, which negatively affects the classification accuracy. In addition, it is technically difficult to quantify the actual meaning of semi-mature and mature in the DCA. This paper proposes an approach that integrates the K-Means clustering algorithm to the DCA to map the DCA cumulative semi-mature and mature context values into semi-mature (normal) and mature (anomaly) clusters in order to improve the classification accuracy. The KDD99 data set was utilized in this work for system validation and evaluation, and the experimental results revealed an improvement in the classification accuracy by the proposed approach.

Liang Hu, Nurbol,Xiaobo Liu,Kuo Zhao

2010-01-01

Journal of Information and Computational Science

Abstract:This paper proposed a new algorithm based on time stamped hierarchical clustering for intrusion detection. It incrementally clusters incoming data objects of normal behavior, and produces a precise model. Using each clusters time stamp, the algorithm can dynamically remove some expired clusters from the model, and also can produces some new cluster, that makes our clustering method more suitable for real network environment. Experiments with KDDCUP 1999 data set show our algorithm is less sensitive to noise data objects than ADWICE, and has low computer resource consumptions. Copyright © 2010 Binary Information Press.