An Intrinsic Subsequence Decomposition Algorithm for Network Intrusion Detection

The problem of network intrusion detection is an active research issue. Based on the techniques of sequence data mining, we propose a completely new approach based on intrinsic subsequence to detect intrusions in the network connection data. An intrinsic subsequence means that all items in it are always present together as a whole in the sequence. The total number of an intrinsic subsequence appeared in a sequence is referred to as absolute support. The intrinsic subsequences with approximate absolute support form a layer. A sequence is supposed to be composed of a set of intrinsic subsequences. And the anomalies are always shown as a composition of some unusual intrinsic subsequences. The abnormal sequence can be detected by decomposing the sequence into a number of layers and finding the differences of the corresponding layers between the normal and suspect sequence data. An original algorithm for intrusion detection by using the idea of decomposition is proposed. The experiments on the data sets of KDD 99 illuminate the utility and efficiency of our new approach.