Traffic Attributes Correlation Mechanism based on Self-Organizing Maps for Real-Time Intrusion Detection

Since the Network based attack Is extensive in the real state of damage, It is very important to detect intrusion quickly at the beginning. But the intrusion detection using supervised learning needs either the preprocessing enormous data or the manager`s analysis. Also it has two difficulties to detect abnormal traffic that the manager`s analysis might be incorrect and would miss the real time detection. In this paper, we propose a traffic attributes correlation analysis mechanism based on self-organizing maps(SOM) for the real-time intrusion detection. The proposed mechanism has three steps. First, with unsupervised learning build a map cluster composed of similar traffic. Second, label each map cluster to divide the map into normal traffic and abnormal traffic. In this step there is a rule which is created through the correlation analysis with SOM. At last, the mechanism would the process real-time detecting and updating gradually. During a lot of experiments the proposed mechanism has good performance in real-time intrusion to combine of unsupervised learning and supervised learning than that of supervised learning.

[1]  Daniel J. Ragsdale,et al.  A hybrid approach to the profile creation and intrusion detection , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.