Detecting Method Over Network Intrusion
First Claim
1. A detecting method over network intrusion comprising:
- selecting a plurality of features contained within plural statistical data by a data-transforming module;
normalizing a plurality of feature values of the selected features into the same scale by a normalizing module to obtain a plurality of normalized feature data;
creating a feature space having a plurality of cubes by a model-creating module, disposing the normalized feature data into the cubes according to the normalized feature values, and defining plural populated cubes having data densities being higher than a threshold value of density;
categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data being larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having that being smaller than the DGT value;
detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and
inputting the at least one feature model into a model-identifying module to select a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.
1 Assignment
0 Petitions
Accused Products
Abstract
A detecting method over network intrusion comprises: selecting a plurality of features contained within plural statistical data by a data-transforming module; normalizing a plurality of feature values of the selected features into the same scale to obtain a plurality of normalized feature data; creating at least one feature model by a data clustering technique incorporated with density-based and grid-based algorithms through a model-creating module; evaluating the at least one feature model through a model-identifying module to select a detecting model; and detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.
23 Citations
10 Claims
-
1. A detecting method over network intrusion comprising:
-
selecting a plurality of features contained within plural statistical data by a data-transforming module; normalizing a plurality of feature values of the selected features into the same scale by a normalizing module to obtain a plurality of normalized feature data; creating a feature space having a plurality of cubes by a model-creating module, disposing the normalized feature data into the cubes according to the normalized feature values, and defining plural populated cubes having data densities being higher than a threshold value of density; categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data being larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having that being smaller than the DGT value; detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and inputting the at least one feature model into a model-identifying module to select a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification