CluSID: a clustering scheme for intrusion detection improved by information theory

Security is a big issue for all networks in any enterprise environment. Many solutions have been proposed to secure the network infrastructure and communication over the Internet. Intrusion detection systems with many different techniques such as data mining approaches are employed to maximize the detection rate of intrusions while reducing false alarm rate. For instance, many clustering techniques are recommended which segregate normal and abnormal data in IDSs. Clustering methods put emphasis on finding differences and similarities of traffic sessions to categorize each one in its corresponding groups. These groups are represented by their assigned labels. Later, these labels are used to predict the type of the incoming network traffic. In this paper, we propose a clustering scheme to use in intrusion detection systems, named CluSID. The major contribution of CluSID is using information theory for taking full advantages of clustering techniques. The main logic behind CluSID is to use non-uniform gain functions for network traffic features in order to improve the accuracy of clustering process. To this end, we apply information theory concepts for moving center of clusters to the most important areas in the domain of the selected features. The results clearly show a raise in detection rate of CluSID in most of the attack categories in comparison to KDD CUP´99 Winner and simple clustering methods. The increase in detection rate of proposed system is about 25 percent.