The Improved K-means Algorithm in Intrusion Detection System Research

To improve the efficiency of Internet intrusion detection, data mining is adopted in intrusion detection. The paper introduces the concept of intrusion detection and k-means algorithm. For the defect of K-means algorithm, it proposes an improved K-means algorithm. Experiments show that the improved k-means algorithm can get a better detection rate. Introduction With the rapid development and widespread use of the Internet, while people benefit from the Internet, the Internet has also become the target of many malicious attacks. Internet intrusion detection is an important protection measure for Internet information security, which is able to detect unauthorized or unusual system behaviors and to alert the users’ attention to guard against. In this paper, the data mining method is applied to Internet intrusion detection to detect the intrusion, and provide real-time network security protection. Intrusion Detection Definition of Intrusion Detection. Intrusion detection is a process to identify an attempt to invade, an ongoing invasion or the invasion process has already taken place. It collects and analyzes information from key points of a computer network or system and responds if breaches of security policy and signs of attack are detected. Types of Intrusion Detection .According to the test data source, intrusion detection system can be divided into host-based intrusion detection system and network-based intrusion detection system[2]. Host-based intrusion detection system is mainly concerned with detecting users’ behavior on the host. Network-based intrusion detection system is mainly about detecting network attacks. According to the different detection angle, intrusion detection methods can be divided into anomaly detection and misuse detection[2]. Anomaly detection assumes the attacker's behaviors different from the normal behaviors of users, creates a system model of normal behavior with user's normal behavior and network data, and compares the difference the between detected data and the data in the normal behavior model so as to determine whether it is an attack. Misuse detection is by matching the intrusion to the signatures of known attacks. Most intrusion detection systems today adopt this approach. With the rapid growth of the network information and the unlimited expansion of storage of information, how to analyze large amount of data processing effectively has become the bottleneck of intrusion detection system. Therefore, network intrusion detection technology must be able to adapt to high bandwidth and high load network environment and equipped a self-learning ability. Data mining technology has become the first choice of network intrusion. Advanced Engineering Forum Online: 2011-09-09 ISSN: 2234-991X, Vol. 1, pp 204-208 doi:10.4028/www.scientific.net/AEF.1.204 © 2011 Trans Tech Publications, Switzerland All rights reserved. No part of contents of this paper may be reproduced or transmitted in any form or by any means without the written permission of Trans Tech Publications, www.ttp.net. (ID: 54.213.75.97-01/02/16,19:21:43) K-means Clustering Data mining is a process to extract potentially valuable knowledge (models or rules) from large amounts of data. It is a process using a variety of analysis tools to find the relationship between model and data in the mass data, which can be used to make predictions. Data mining tasks can be divided into two general categories: description and prediction[1].Descriptive mining tasks characterize the general features of the database while predictive data mining tasks predict on the basis of the existing data. K-means Clustering Algorithm. K-means algorithm is a widely used clustering algorithm. In K-means algorithm, k is the parameter, dividing n objects into k clusters for a high similarity within the cluster and low similarity between the clusters so as to classify the data. Algorithm first randomly select k objects as initial cluster centers. The rest objects, according to their distance from various clusters center, would be assigned to the nearest cluster. Then recalculate average number of each cluster and repeat the process until the criterion function is convergent[1]. The criterion function is Eq. 1: