A supervised clustering algorithm for computer intrusion detection

We previously developed a clustering and classification algorithm—supervised (CCAS) to learn patterns of normal and intrusive activities and to classify observed system activities. Here we further enhance the robustness of CCAS to the presentation order of training data and the noises in training data. This robust CCAS adds data redistribution, a supervised hierarchical grouping of clusters and removal of outliers as the postprocessing steps.     

A parallel genetic local search algorithm for intrusion detection in computer networks

The security of networked computers plays a strategic role in modern computer systems. This task is so complicated because the determination of normal and abnormal behaviors in computer networks is hard, as the boundaries cannot be well defined. One of the difficulties in such a prediction process is the generation of false alarms in many anomaly based intrusion detection systems. However, fuzzy logic is an important solution to reduce the false alarm rate in determining intrusive activities. This paper proposes a parallel genetic local search algorithm (PAGELS) to generate fuzzy rules capable of detecting intrusive behaviors in computer networks. The system uses the Michigan's approach, where each individual represents a fuzzy rule which has the form “if condition then prediction.” In the presented algorithm the global population is divided into some subpopulations, each assigned to a distinct processor. Each subpopulation consists of the same class fuzzy rules. These rules evolve independently in the proposed parallel manner. Experimental results show that the presented algorithm produces fuzzy rules, which can be used to construct a reliable intrusion detection system.     

Anomaly intrusion detection by clustering transactional audit streams in a host computer

In anomaly intrusion detection, modeling the normal behavior of activities performed by a user is an important issue. To extract normal behavior from the activities of a user, conventional data mining techniques are widely applied to a finite audit data set. However, these approaches model only the static behavior of a user in the audit data set. This drawback can be overcome by viewing a user’s continuous activities as an audit data stream. This paper proposes an anomaly intrusion detection method that continuously models the normal behavior of a user over the audit data stream. A set of features is used to represent the characteristics of an activity. For each feature, clusters of feature values corresponding to activities observed thus far in an audit data stream are identified by a statistical grid-based clustering algorithm for a data stream. Each cluster represents the frequency range of the activities with respect to the feature. As a result, without the physical maintenance of any historical activity of the user, the user’s new activities can be continuously reflected in the ongoing results. At the same time, various statistics of activities related to the identified clusters are also modeled to improve the performance of anomaly detection. The proposed algorithm is illustrated by a series of experiments to identify various characteristics.     

网络入侵检测系统中的警报聚类

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。     

A multi-objective genetic algorithm with fuzzy c-means for automatic data clustering

This article presents a multi-objective genetic algorithm which considers the problem of data clustering. A given dataset is automatically assigned into a number of groups in appropriate fuzzy partitions through the fuzzy c-means method. This work has tried to exploit the advantage of fuzzy properties which provide capability to handle overlapping clusters. However, most fuzzy methods are based on compactness and/or separation measures which use only centroid information. The calculation from centroid information only may not be sufficient to differentiate the geometric structures of clusters. The overlap-separation measure using an aggregation operation of fuzzy membership degrees is better equipped to handle this drawback. For another key consideration, we need a mechanism to identify appropriate fuzzy clusters without prior knowledge on the number of clusters. From this requirement, an optimization with single criterion may not be feasible for different cluster shapes. A multi-objective genetic algorithm is therefore appropriate to search for fuzzy partitions in this situation. Apart from the overlap-separation measure, the well-known fuzzy J_m index is also optimized through genetic operations. The algorithm simultaneously optimizes the two criteria to search for optimal clustering solutions. A string of real-coded values is encoded to represent cluster centers. A number of strings with different lengths varied over a range correspond to variable numbers of clusters. These real-coded values are optimized and the Pareto solutions corresponding to a tradeoff between the two objectives are finally produced. As shown in the experiments, the approach provides promising solutions in well-separated, hyperspherical and overlapping clusters from synthetic and real-life data sets. This is demonstrated by the comparison with existing single-objective and multi-objective clustering techniques.     

Genetic-fuzzy rule mining approach and evaluation of feature selection techniques for anomaly intrusion detection

Classification of intrusion attacks and normal network traffic is a challenging and critical problem in pattern recognition and network security. In this paper, we present a novel intrusion detection approach to extract both accurate and interpretable fuzzy IF-THEN rules from network traffic data for classification. The proposed fuzzy rule-based system is evolved from an agent-based evolutionary framework and multi-objective optimization. In addition, the proposed system can also act as a genetic feature selection wrapper to search for an optimal feature subset for dimensionality reduction. To evaluate the classification and feature selection performance of our approach, it is compared with some well-known classifiers as well as feature selection filters and wrappers. The extensive experimental results on the KDD-Cup99 intrusion detection benchmark data set demonstrate that the proposed approach produces interpretable fuzzy systems, and outperforms other classifiers and wrappers by providing the highest detection accuracy for intrusion attacks and low false alarm rate for normal network traffic with minimized number of features.     

A genetic algorithm with gene rearrangement for K-means clustering

In this paper, a new clustering algorithm based on genetic algorithm (GA) with gene rearrangement (GAGR) is proposed, which in application may effectively remove the degeneracy for the purpose of a more efficient search. A new crossover operator that exploits a measure of similarity between chromosomes in a population is also presented. Adaptive probabilities of crossover and mutation are employed to prevent the convergence of the GAGR to a local optimum. Using the real-world data sets, we compare the performance of our GAGR clustering algorithm with K-means algorithm and other GA methods. An application of the GAGR clustering algorithm in unsupervised classification of multispectral remote sensing images is also provided. Experiment results demonstrate that the GAGR clustering algorithm has high performance, effectiveness and flexibility.     

A multi-population genetic algorithm for robust and fast ellipse detection

This paper discusses a novel and effective technique for extracting multiple ellipses from an image, using a genetic algorithm with multiple populations (MPGA). MPGA evolves a number of subpopulations in parallel, each of which is clustered around an actual or perceived ellipse in the target image. The technique uses both evolution and clustering to direct the search for ellipses—full or partial. MPGA is explained in detail, and compared with both the widely used randomized Hough transform (RHT) and the sharing genetic algorithm (SGA). In thorough and fair experimental tests, using both synthetic and real-world images, MPGA exhibits solid advantages over RHT and SGA in terms of accuracy of recognition—even in the presence of noise or/and multiple imperfect ellipses in an image—and speed of computation.     

A traffic-based evolutionary algorithm for network clustering

Network clustering algorithms are typically based only on the topology information of the network. In this paper, we introduce traffic as a quantity representing the intensity of the relationship among nodes in the network, regardless of their connectivity, and propose an evolutionary clustering algorithm, based on the application of genetic operators and capable of exploiting the traffic information. In a comparative evaluation based on synthetic instances and two real world datasets, we show that our approach outperforms a selection of well established evolutionary and non-evolutionary clustering algorithms.     

Evolving statistical rulesets for network intrusion detection

Security threats against computer networks and the Internet have emerged as a major and increasing area of concern for end-users trying to protect their valuable information and resources from intrusive attacks. Due to the amount of data to be analysed and the similarities between attack and normal traffic patterns, intrusion detection is considered a complex real world problem. In this paper, we propose a solution that uses a genetic algorithm to evolve a set of simple, interval-based rules based on statistical, continuous-valued input data. Several innovations in the genetic algorithm work to keep the ruleset small. We first tune the proposed system using a synthetic data. We then evaluate our system against more complex synthetic data with characteristics associated with network intrusions, the NSL-KDD benchmark dataset, and another dataset constructed based on MIT Lincoln Laboratory normal traffic and the low-rate DDoS attack scenario from CAIDA. This new approach provides a very compact set of simple, human-readable rules with strongly competitive detection performance in comparison to other machine learning techniques.     

A genetic algorithm that exchanges neighboring centers for k-means clustering

We present a genetic algorithm for selecting centers to seed the popular k-means method for clustering. Using a novel crossover operator that exchanges neighboring centers, our GA identifies superior partitions using both benchmark and large simulated data sets.     

Damage detection by an adaptive real-parameter simulated annealing genetic algorithm

An effective algorithm, which combined an adaptive real-parameter genetic algorithm with simulated annealing, is proposed to detect damage occurrence in beam-type structures. The proposed algorithm uses the displacements of static response and natural frequencies of modal analysis, which are obtained by finite element software ANSYS. There are three different kinds of beam structures to verify the performance of the proposed algorithm. These three cases have different boundary conditions and different damage scenarios. From the results, it is demonstrated that the proposed algorithm is efficient in flexural stiffness damage identification for beam-type structures under free of noise condition. Even under the case of noise, the results show that the searched solutions are still in reasonable precision.     

A robust dynamic niching genetic algorithm with niche migration for automatic clustering problem

In this paper, a genetic clustering algorithm based on dynamic niching with niche migration (DNNM-clustering) is proposed. It is an effective and robust approach to clustering on the basis of a similarity function relating to the approximate density shape estimation. In the new algorithm, a dynamic identification of the niches with niche migration is performed at each generation to automatically evolve the optimal number of clusters as well as the cluster centers of the data set without invoking cluster validity functions. The niches can move slowly under the migration operator which makes the dynamic niching method independent of the radius of the niches. Compared to other existing methods, the proposed clustering method exhibits the following robust characteristics: (1) robust to the initialization, (2) robust to clusters volumes (ability to detect different volumes of clusters), and (3) robust to noise. Moreover, it is free of the radius of the niches and does not need to pre-specify the number of clusters. Several data sets with widely varying characteristics are used to demonstrate its superiority. An application of the DNNM-clustering algorithm in unsupervised classification of the multispectral remote sensing image is also provided.     

基于混合遗传聚类的入侵检测算法

提出了基于混合遗传聚类的入侵检测算法——IDBHGC,它能自动完成初始聚类簇集合建立、组合优化和入侵行为标识的整个检测过程。实验证明,该算法在已有研究基础上进一步提高了检测性能。     

基于自适应蚁群聚类的入侵检测

针对蚁群聚类算法在聚类结果中出现部分数据划分不够准确的问题,提出一种基于信息熵调整的自适应混沌蚁群聚类改进算法。该算法通过优化过程中种群的信息熵来衡量演化的程度,自适应地调整信息素更新策略。每一次迭代结束时,使用混沌搜索算子在当前全局最优解附近搜索更好的解。而随着算法的进行,混沌算子搜索范围逐渐缩小,这样混沌算子在蚁群搜索的初期起到防止陷入局部最优的作用,在蚁群搜索后期起到提高搜索精度的作用,从而得到更好的聚类结果。使用KDD Cup 1999入侵检测数据集所作的仿真实验结果表明,聚类效果改进明显,并能有效提高入侵检测的检测率、降低误检率。     

A hybrid artificial immune system and Self Organising Map for network intrusion detection

Network intrusion detection is the problem of detecting unauthorised use of, or access to, computer systems over a network. Two broad approaches exist to tackle this problem: anomaly detection and misuse detection. An anomaly detection system is trained only on examples of normal connections, and thus has the potential to detect novel attacks. However, many anomaly detection systems simply report the anomalous activity, rather than analysing it further in order to report higher-level information that is of more use to a security officer. On the other hand, misuse detection systems recognise known attack patterns, thereby allowing them to provide more detailed information about an intrusion. However, such systems cannot detect novel attacks.A hybrid system is presented in this paper with the aim of combining the advantages of both approaches. Specifically, anomalous network connections are initially detected using an artificial immune system. Connections that are flagged as anomalous are then categorised using a Kohonen Self Organising Map, allowing higher-level information, in the form of cluster membership, to be extracted. Experimental results on the KDD 1999 Cup dataset show a low false positive rate and a detection and classification rate for Denial-of-Service and User-to-Root attacks that is higher than those in a sample of other works.     

A novel hybrid KPCA and SVM with GA model for intrusion detection

A novel support vector machine (SVM) model combining kernel principal component analysis (KPCA) with genetic algorithm (GA) is proposed for intrusion detection. In the proposed model, a multi-layer SVM classifier is adopted to estimate whether the action is an attack, KPCA is used as a preprocessor of SVM to reduce the dimension of feature vectors and shorten training time. In order to reduce the noise caused by feature differences and improve the performance of SVM, an improved kernel function (N-RBF) is proposed by embedding the mean value and the mean square difference values of feature attributes in RBF kernel function. GA is employed to optimize the punishment factor C, kernel parameters σ and the tube size ɛ of SVM. By comparison with other detection algorithms, the experimental results show that the proposed model performs higher predictive accuracy, faster convergence speed and better generalization.     

遗传聚类算法在基于网络异常入侵检测中的应用

传统的入侵检测方法在面对多变的网络结构时缺乏可扩展性,而且在未知的攻击类型面前也缺乏适应性。因此,提出一种新的检测方法——基于遗传聚类的网络异常检测（NAIDGC）算法。对聚类中心采用二进制编码,把每一个点到它们各自的聚类中心的欧几里得距离的总和作为相似度量,通过遗传算法寻找聚类中心。计算机仿真结果显示了此算法对入侵检测是有效的。     

浅析网络入侵检测系统

本文主要研究的就是入侵检测系统,从基本概念入手,对其入侵检测过程做了详细阐述,通过也讨论了入侵检测系统的未来发展道路.     

基于改进的布尔矩阵约简算法的入侵检测方法

针对入侵检测数据特征维数多,通过改进的布尔矩阵约简算法对入侵数据样本进行属性约简,再应用灰色关联算法,使得原数据集中每条记录由原来的41个属性约简为27个,从而提高了入侵检测的速度和效率。实验结果也表明,应用此种约简方法,提高了入侵检测的效率,且保持了较为理想的检测率。