Detecting method for network intrusion
First Claim
Patent Images
1. A detecting method for network intrusion comprising:
- providing a computer including a data-transforming module, a normalizing module, a model-creating module, and a model-identifying module;
selecting a plurality of features contained within plural statistical data by the data-transforming module;
normalizing a plurality of feature values of the selected features into an identical scale by the normalizing module to obtain a plurality of normalized feature data;
creating a feature space having a plurality of cubes by the model-creating module, disposing the normalized feature data into the plurality of cubes according to normalized feature values, and defining plural populated cubes having data densities higher than a threshold value of density;
categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having an amount of the normalized feature data smaller than the DGT value;
detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and
inputting the at least one feature model into the model-identifying module to select one of the at least one feature model as a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.
1 Assignment
0 Petitions
Accused Products
Abstract
A detecting method for network intrusion includes: selecting a plurality of features contained within plural statistical data by a data-transforming module; normalizing a plurality of feature values of the selected features into the same scale to obtain a plurality of normalized feature data; creating at least one feature model by a data clustering technique incorporated with density-based and grid-based algorithms through a model-creating module; evaluating the at least one feature model through a model-identifying module to select a detecting model; and detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module.
-
Citations
10 Claims
-
1. A detecting method for network intrusion comprising:
-
providing a computer including a data-transforming module, a normalizing module, a model-creating module, and a model-identifying module; selecting a plurality of features contained within plural statistical data by the data-transforming module; normalizing a plurality of feature values of the selected features into an identical scale by the normalizing module to obtain a plurality of normalized feature data; creating a feature space having a plurality of cubes by the model-creating module, disposing the normalized feature data into the plurality of cubes according to normalized feature values, and defining plural populated cubes having data densities higher than a threshold value of density; categorizing the populated cubes into major cubes and minor cubes with each major cube having an amount of the normalized feature data larger than a Dynamic-Gradient-Threshold (DGT) value and each minor cube having an amount of the normalized feature data smaller than the DGT value; detecting the minor cubes in detail by a density-based algorithm to create at least one sub-cluster within each minor cube for combining the normalized feature data within the at least one sub-cluster with those in the adjacent major cubes, so as to create at least one feature model; and inputting the at least one feature model into the model-identifying module to select one of the at least one feature model as a detecting model for detecting whether a new packet datum belongs to an intrusion instance or not by a detecting module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification