Detecting Method Over Network Intrusion

US 20080306715A1
Filed: 01/29/2008
Published: 12/11/2008
Est. Priority Date: 06/11/2007
Status: Active Grant

First Claim

Patent Images

1. A detecting method over network intrusion comprising:

selecting a plurality of features contained within plural statistical data by a data-transforming module;

normalizing a plurality of feature values of the selected features into the same scale by a normalizing module to obtain a plurality of normalized feature data;

creating a feature space having a plurality of cubes by a model-creating module, disposing the normalized feature data into the cubes according to the normalized feature values, and defining plural populated cubes having data densities being higher than a threshold value of density;

categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data being larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having that being smaller than the DGT value;

detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and

inputting the at least one feature model into a model-identifying module to select a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A detecting method over network intrusion comprises: selecting a plurality of features contained within plural statistical data by a data-transforming module; normalizing a plurality of feature values of the selected features into the same scale to obtain a plurality of normalized feature data; creating at least one feature model by a data clustering technique incorporated with density-based and grid-based algorithms through a model-creating module; evaluating the at least one feature model through a model-identifying module to select a detecting model; and detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.

23 Citations

View as Search Results

10 Claims

1. A detecting method over network intrusion comprising:
- selecting a plurality of features contained within plural statistical data by a data-transforming module;
  
  normalizing a plurality of feature values of the selected features into the same scale by a normalizing module to obtain a plurality of normalized feature data;
  
  creating a feature space having a plurality of cubes by a model-creating module, disposing the normalized feature data into the cubes according to the normalized feature values, and defining plural populated cubes having data densities being higher than a threshold value of density;
  
  categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data being larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having that being smaller than the DGT value;
  
  detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and
  
  inputting the at least one feature model into a model-identifying module to select a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The detecting method over network intrusion as defined in claim 1, wherein formulas for normalization are defined as:
  - 3. The detecting method over network intrusion as defined in claim 1, wherein the threshold value is an integer, and the normalized feature data in the cubes with their data densities being lower than the threshold value are excluded.
  - 4. The detecting method over network intrusion as defined in claim 1, wherein a dense-value for representing an amount of the normalized feature data within each populated cube is identified, and one of the populated cubes is identified as a tiptop to be a start point for searching the feature space.
  - 5. The detecting method over network intrusion as defined in claim 1, wherein a DGT function used to obtain the DGT value is defined as the following:
    - DGT=|c_i|*PSV, wherein the “
      
      |c_i|”
      
      denotes the amount of the normalized feature data within an extremely populated cube “
      
      c_i”
      
      that is one of the populated cubes which jointly contain a cluster and has the highest dense-value among those of said populated cubes containing the same cluster; and
      
      the “
      
      PSV”
      
      denotes a predetermined percentage.
  - 6. The detecting method over network intrusion as defined in claim 1, wherein the minor cubes are detected by DBSCAN algorithm.
  - 7. The detecting method over network intrusion as defined in claim 1, wherein a plurality of border data disposed near borders of each minor cube is identified to create the at least one sub-cluster.
  - 8. The detecting method over network intrusion as defined in claim 1, wherein the detecting model is selected according to correctness of the at least one feature model, with said correctness being identified by detection rate given by a number of instances, which are identified as intrusion instances by the detecting method, divided by a total number of intrusion instances in a plurality of packet data, with the statistical data being obtained by quantifying said packet data.
  - 9. The detecting method over network intrusion as defined in claim 1, wherein the detecting model is selected according to correctness of the at least one feature model, with said correctness being identified by false positive rate defined as a number of instances, which are incorrectly identified as intrusion instances by the detecting method, divided by a total number of normal instances.
  - 10. The detecting method over network intrusion as defined in claim 1, wherein the detecting model is selected according to correctness of the at least one feature model, with said correctness being identified by both detection rate and false positive rate;
    - wherein the detection rate is given by a number of instances, which are identified as intrusion instances by the detecting method, divided by a total number of intrusion instances in a plurality of packet data, with the statistical data being obtained by quantifying said packet datawherein the false positive rate is defined as a number of instances, which are incorrectly identified as intrusion instances by the detecting method, divided by a total number of normal instances;
      
      wherein a “
      
      Receiver Operating Characteristic”
      
      curve illustrating a relationship between said detection rate and false positive rate is obtained, and an “
      
      Area Under the Curve”
      
      value is acquired to identify the correctness of the at least one feature model.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
National Pingtung University of Science and Technology
Original Assignee
National Pingtung University of Science and Technology
Inventors
Tsai, Cheng-Fa, Yen, Chia-Chen

Granted Patent

US 8,037,533 B2
Time in Patent Office

Days
Field of Search
US Class Current

703/2
CPC Class Codes

G06F 21/55 Detecting local intrusion o...

H04L 63/1425 Traffic logging, e.g. anoma...

Detecting Method Over Network Intrusion

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting Method Over Network Intrusion

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links