Intrusion detection based on MLP neural networks and K-means algorithm

A new intrusion detection technique to classify program behavior as normal or intrusive by using neural network and clustering pretreatment is presented in this paper. In our method, first, we divided the large samples space into subspace using k-means clustering; second, a set of neural networks are used to study the every subspace for intrusion detection separately. By this way, we can avoid some inherent problems of neural networks, such as the slow speed of convergence and the burden of computation; On the other hand, during subspace training, because program data, which are in the same subspace, have the similar behavior characters, neural networks can quickly recognize normal or anomalous area of input space; We also note that system call frequency is replaced of system call order in this method, program behavior is represented by frequencies of system calls; Experiment with 1998 DARPA BSM audit data has also shown that the method has good performance.