Intrusion detection learning algorithm through network mining

This paper presents a learning algorithm for adaptive network intrusion detection based on clustering and naïve Bayesian classifier, which induces a hybridization of unsupervised and supervised learning processes. The proposed approach scales up the balance detection rates for different types of network intrusions, and keeps the false positives at acceptable level in network intrusion detection. The algorithm first clusters the network logs into several groups based on similarity of network logs, and then calculates the prior and class conditional probabilities for each cluster. In classifying a new network log, the algorithm calculates the similarity of attribute values of network data with each cluster and initialize a weight value for each cluster. Then each cluster classifies the network data with its priori and conditional probabilities that multiply with respective cluster´s weight value. Finally, voting techniques applied for classifying the new network data based on each cluster´s classification result. The performance of the proposed algorithm tested by employing KDD99 benchmark network intrusion detection dataset, and the experimental results proved that it improves the detection rates as well as reduces the false positives for different types of network intrusions.