Evolutionary Optimization on Misuse and Anomaly IDS Using LOF-based Clustering

• Main Authors: Chun-Hao Chen, 陳俊豪
• Other Authors: 李秀惠
• Format: Others
• Language: en_US
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/95567730186465169953

碩士 === 國立臺灣大學 === 資訊工程學研究所 === 94 === With wide application of internet, various attack techniques have been developed and threaten the e-society. Old passive safeguard, e.g. firewall, and password, is insufficient when the attack techniques progress continuously. Hence, intrusion detection system (IDS) is developed for active protection. Using data mining technique to develop IDS is automatic and effective; therefore it can replace traditional signature-based IDS. IDS can be classified into misuse detection and anomaly detection. Misuse detection uses those patterns of known attacks to match and identify intrusions. Anomaly detection constructs normal behavior profiles to detect attacks. This thesis proposes an IDS both for misuse detection and anomaly detection. We extend an excellent outlier detection algorithm LOF to a clustering algorithm. LOF can detect some outliers that other algorithms can not detect. Though there are several common concepts between outlier detection and clustering, the original LOF algorithm can not explicitly form clusters. We make extension to it and apply to IDS. The part of clustering can build the information of training data and find the association between training data and testing data; and the part of outlier detection can detect the unseen attacks if the data deviate from the distribution of training data. Besides, a genetic algorithm is used to assign each feature of data an importance (weight), and generate several sets of weights in terms of characteristics of each attack type. This is adopted to raise the accuracy of IDS. In experiments, the KDD Cup 1999 data is used to evaluate our system. We get good results both for misuse detection and anomaly detection.