Fuzzy Clustering Based Anomaly Detection for Updating Intrusion Detection Signature Files

The majority of systems today categorize data either by misuse detection or anomaly detection: each approach has its relative merits and demerits. Perfect detection, like perfect security, is simply not an attainable goal given the complexity and rapid evolution of modern systems. An Intrusion Detection System (IDS) can, however, strive to raise the bar for attackers by reducing the efficacy of large classes of attacks and increasing the work factor required to achieve a system compromise. The coordinated deployment of multiple intrusion detection systems promises to allow greater confidence in the results of and to improve the coverage of intrusion detection, making this a critical component of any comprehensive security architecture. Traditional anomaly detection methods lack adaptive captivity in complex and heterogeneous network. Especially while facing high noise environments, or the situation of updating profiles not in time, intrusion detection systems will have high false alarm rate. In this research study, anomaly detection based on fuzzy clustering is proposed for updating signature files. Fuzzy clustering integrates the advantage of fuzzy set theory and conventional clustering algorithms so that the improved algorithm can identify zero day attacks (anomalies), which conventional misuse network intrusion detection would fail to detect. The approach allows recognizing not only known attacks but also to detect suspicious activity that may be the result of a new, unknown attack. Once new attacks are detected, then this information could be used to update the signature files of the misuse intrusion detection systems.