Research on Network anomaly Detection Based on Clustering and Classifier

In this paper, we propose a method to find the anomalous behaviors in network traffic. We map the network connection records into different feature spaces typically of high dimension according to their protocols and services. In training, we perform clustering to group training data points into clusters, from which we select some clusters as normal and known-attack profile according to a simple, but effect, criterion. For those training data excluded from the profile, we use them to build a specific classifier. The classifier has two distinct characteristics: one is that it regards each data point in the feature space with the limited influence scope, which is served as the decisive bounds of the classifier, and the other is that it has the "default" label to recognize those novel attacks. We present a novel classification algorithm, influence-based classification algorithm, to deal with ambiguous data. Our system is tested on the KDD Cup 1999 data. Results show that it is superior to other data mining based approaches in detection performance, especially in detection of PROBE and U2R attacks