一种融合Kmeans和KNN的网络入侵检测算法

doi:10.11896/j.issn.1002-137X.2016.03.030

摘要/Abstract

摘要： 网络入侵检测算法是网络安全领域研究的热点和难点内容之一。目前许多算法如KNN、TCMKNN等处理的训练样本集都比较小,在处理大样本集时仍然非常耗时。因此,提出了一种适应大样本集的网络入侵检测算法(Cluster-KNN算法)。该算法分为离线数据预处理(数据索引)和在线实时分类两个阶段:离线预处理阶段建立大样本集的聚簇索引；在线实时分类阶段则利用聚簇索引搜索得到近邻,最终采用KNN算法得出分类结果。实验结果表明:与传统的KNN算法相比,Cluster-KNN算法在分类阶段具有很高的时间效率,同时在准确率、误报率和漏报率方面与其它同领域入侵检测方法相比也具有相当的优势。Cluster-KNN能够很好地区分异常和正常场景,且在线分类速度快,因而更适用于现实的网络应用环境。

关键词: 网络入侵检测,Kmeans,KNN,KDDCUP99

Abstract: Network intrusion detection algorithm is one of the hot and difficult topics in the field of network security research.At present,many algorithms like KNN and TCMKNN,which process relatively small data samples,are still very time-consuming when processing large scale date set.Therefore,this paper put forward a hybrid algorithm(Cluster-KNN),which is adaptive to large scale data set.The algorithm is divided into the offline data preprocess phase(data indexing) and the online real-time classification phase.The offline phase establishes the cluster index for the large data set.Then the online phase uses the index to search neighbors,and finally outputs the result by KNN algorithm.The experimental results show that compared with the traditional KNN algorithm,Cluster-KNN algorithm has high time efficiency in the classification phase,and it has considerable advantages as well compared to intrusion detection methods of the same field in the accuracy rate,false positive rate,false negative rate and other aspects.Cluster-KNN can clearly distinguish the abnormal and normal scenes,and it has a high online classification speed.Thus,it is more suitable for the real network application environment.

Key words: Network intrusion detection,Kmeans,KNN,KDDCUP99

华辉有,陈启买,刘海,张阳,袁沛权. 一种融合Kmeans和KNN的网络入侵检测算法[J]. 计算机科学, 2016, 43(3): 158-162. https://doi.org/10.11896/j.issn.1002-137X.2016.03.030

HUA Hui-you, CHEN Qi-mai, LIU Hai, ZHANG Yang and YUAN Pei-quan. Hybrid Kmeans with KNN for Network Intrusion Detection Algorithm[J]. Computer Science, 2016, 43(3): 158-162. https://doi.org/10.11896/j.issn.1002-137X.2016.03.030

参考文献

[1] Liao Yi-hua,Vemuri V R.Using K-Nearest neighbor classifier for Intrusion detection[J].Computers and Security,2002,5(21):439-448
[2] Li Yang,Fang Bin-xing,et al.Supervised Intrusion DetectionBased on Active Learning and TCM-KNN Algorithm[J].Chinese Journal of Computers,2007,0(8):1464-1473(in Chinese) 李洋,方滨兴,等.基于主动学习和TCM-KNN方法的有指导入侵检测技术[J].计算机学报,2007,0(8):1464-1473
[3] Naoum R S,Al-Sultani Z N.Learning Vector Quantization(LVQ) and k-Nearest Neighbor for Intrusion Classification[J].World of Computer Science and Information Technology Journal,2012,3(2):105-109
[4] Jamshidi Y,Nezamabadi-pour H.A Lattice based NearestNeighbor Classifier for Anomaly Intrusion Detection[J].Journal of Advances in Computer Research,2013,4(4):51-60
[5] Ma Z,Kaban A.K-Nearest-Neighbours with a novel similarity measure for intrusion detection[C]∥2013 13th UK Workshop on Computational Intelligence (UKCI).IEEE,2013:266-271
[6] Jianliang M,Haikun S,Ling B.The Application on Intrusion Detection Based on K-means Cluster Algorithm[C]∥International Forum on Information Technology and Applications,2009(IFITA ’09).IEEE,2009:150-152
[7] Li Z,Li Y,Xu L.Anomaly Intrusion Detection Method Based on K-Means Clustering Algorithm with Particle Swarm Optimization[C]∥2011 International Conference on Information Technology,Computer Engineering and Management Sciences (ICM).IEEE,2011:157-161
[8] Deelers S A S.Enhancing K-Means Algorithm with Initial Cluster Centers Derived from Data Partitioning along the Data Axis with the Highest Variance[C]∥Proceedings of World Academy of Science,Engineering and Technology.2007,6:323-328
[9] Gast E,Oerlemans A,Lew M S.Very large scale nearest neighbor search:ideas,strategies and challenges[J].International Journal of Multimedia Information Retrieval,2013,2(4):229-241
[10] Muda Z,Yassin W,Sulaiman M N,et al.Intrusion detectionbased on K-Means clustering and Nave Bayes classification[C]∥International Conference on Information Technology in Asia.IEEE,2011:1-6
[11] Ashok R,Lakshmi A J,Rani G D V,et al.Optimized feature selection with k-means clustered triangle SVM for Intrusion Detection[C]∥Third International Conference on Advanced Computing.IEEE,2011:23-27
[12] Sharma S K,Pandey P,Tiwari S K,et al.An improved network intrusion detection technique based on k-means clustering via Nave Bayes classification[C]∥2012 International Conference on Advances in Engineering,Science and Management (ICAESM).IEEE,2012:417-422
[13] Muda Z,Yassin W,Sulaiman M N,et al.Intrusion detectionbased on k-means clustering and OneR classification[C]∥2011 7th International Conference on Information Assurance and Security (IAS).IEEE,2011:192-197
[14] Guo C,Zhou Y,Ping Y,et al.A distance sum-based hybridmethod for intrusion detection[J].Applied Intelligence,2014,40(1):178-188
[15] Kuang F,Xu W,Zhang S.A novel hybrid KPCA and SVM with GA model for intrusion detection[J].Applied Soft Computing,2014,18(4):178-184
[16] Gogoi P,Bhattacharyya D K,et al.MLH-IDS:A Multi-LevelHybrid Intrusion Detection Method [J].Computer Journal,2014,7(4):602-623
[17] Xiang C,Xiao Y,Qu P,et al.Network Intrusion Detection Based on PSO-SVM[J].TELKOMNIKA:Indonesian Journal of Electrical Engineering,2013,2(2):1052-1058
[18] Wang Jie-song,Zhang Xiao-fei.The Analysis and Pre-process of KDDCup99 Benchmark Dataset of Network Intrusion Detection[J].Science and Technology Information,2008(15):79-80(in Chinese) 王洁松,张小飞.KDDCup99网络入侵检测数据的分析和预处理[J].科技信息:科学·教研,2008(15):79-80
[19] Zhang Xin-you,Zeng Hua-shen,Jia Lei.Research of IntrusionDetection system Dataset-KDD CUP99[J].Computer Enginee-ring and Design.2010,1(22):4809-4814(in Chinese) 张新有,曾华燊,贾磊.入侵检测数据集KDD CUP99研究[J].计算机工程与设计,2010,31(22):4809-4814
[20] Wang Zhi-gang,Hu Chang-zhen,et al.Cyber Security Datasets Research advanced materials research[J].Advanced Materials and Computer Science II,2013,4(4):191-195
[21] Tsai C,Lin C.A triangle area based nearest neighbors approach to intrusion detection[J].Pattern Recognition,2010,43:222-229
[22] Elkan C.Results of the KDD’99 classifier learning contest.http://cseweb.ucsd.edu/users/elkan/clresults.html

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed