High-Performance Intrusion Detection Using OptiGrid Clustering and Grid-Based Labelling

This research aims to construct a high-performance anomaly based intrusion detection system. Most of past studies of anomaly based IDS adopt k-means based clustering, this paper points out that the following reasons cause performance degradation of k-means based clustering when it is deployed in real traffic environment. First, k-means based algorithms have weakness for high dimensional data. Second, in spite of non-hyper spherical distribution of normal traffic in a feature space, these algorithms can only create hyper spherical clusters. Furthermore, unsophisticated algorithms to label clusters cannot achieve high detection performance. In order to solve these issues, this paper proposes a modification of OptiGrid clustering and a cluster labelling algorithm using grids. OptiGrid has robust ability to high dimensional data. Our labelling algorithm divides the feature space into grids and labels clusters using the density of grids. The combination of these two algorithms enables a system to extract the feature of traffic data and classifies the data as attack or normal correctly. We have implemented our system and confirmed efficiency of our system by utilizing both KDDCUP1999 data sets and Kyoto 2006+ data sets.