A Clustering Method for Improving Performance of Anomaly-Based Intrusion Detection System

Jungsuk SONG  Kenji OHIRA  Hiroki TAKAKURA  Yasuo OKABE  Yongjin KWON  

Publication
IEICE TRANSACTIONS on Information and Systems   Vol.E91-D   No.5   pp.1282-1291
Publication Date: 2008/05/01
Online ISSN: 1745-1361
DOI: 10.1093/ietisy/e91-d.5.1282
Print ISSN: 0916-8532
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Network Security
Keyword: 
intrusion detection system,  clustering,  detection rate,  false positive rate,  

Full Text: PDF(470.3KB)>>
Buy this Article




Summary: 
Intrusion detection system (IDS) has played a central role as an appliance to effectively defend our crucial computer systems or networks against attackers on the Internet. The most widely deployed and commercially available methods for intrusion detection employ signature-based detection. However, they cannot detect unknown intrusions intrinsically which are not matched to the signatures, and their methods consume huge amounts of cost and time to acquire the signatures. In order to cope with the problems, many researchers have proposed various kinds of methods that are based on unsupervised learning techniques. Although they enable one to construct intrusion detection model with low cost and effort, and have capability to detect unforeseen attacks, they still have mainly two problems in intrusion detection: a low detection rate and a high false positive rate. In this paper, we present a new clustering method to improve the detection rate while maintaining a low false positive rate. We evaluated our method using KDD Cup 1999 data set. Evaluation results show that superiority of our approach to other existing algorithms reported in the literature.