1. Field of the Invention
The present invention relates to a detecting method for network intrusion and, particularly, to a detecting method creating a detecting model by a data clustering technique incorporated with density-based and grid-based algorithms to detect intrusion linking toward a network.
2. Description of the Related Art
Generally, conventional detecting methods for network intrusion can be categorized into “misuse detection” and “anomaly detection”.
An “intrusion mode database” is pre-established with various patterns of well-known intrusions, and, then, a detected intrusion instance is compared with the various patterns within the intrusion mode database. The comparison between the detected intrusion instance and the various patterns is focused on features such as a way to link to the network, and the detected intrusion instance is thereby identified as an intrusion if a pattern similar to the detected intrusion instance is found. However, the intrusion mode database must be renewed with latest patterns of well-known intrusions regularly, which causes difficulty in management of the database. Also, due to a large amount of the patterns within the intrusion mode database, the efficiency of detecting is bad. Furthermore, the misuse detection is unable to detect any unknown intrusion until a corresponding pattern is entered into the intrusion mode database, which defect induces a low accuracy of detection of intrusions.
In contrast to the misuse detection, anomaly detection determines whether a network intrusion has occurred or not by recognizing an intrusion instance. In order to complete the determination by identifying the differences between the intrusion instance and a formal pattern, a “normal instance model” is created and is trained by a plurality of labeled data, to recognize the intrusion instance through the normal instance model. Consequently, an intrusion instance, which differs from formal patterns that are able to pass the test held by said normal instance model, is distinguished. Advantages of the anomaly detection lay in that the intrusion mode database used in misuse detection is absent from the anomaly detection, such that the anomaly detection can detect unknown intrusions.
However, once a datum of an intrusion instance is included in the labeled data, said anomaly detection would therefore not be able to detect intrusions accurately and effectively. Moreover, although the anomaly detection is widely applied recently, it is still not ideal for use, because it is hard to acquire labeled data that totally excludes data of intrusions owing to its time-consuming extraction.
Furthermore, a detecting method for network intrusion is presented in Taiwan Patent No. 1268685 titled “method and system with data clustering technique for network intruding detection”. According to the detecting method, a packet statistical data is provided initially, and a plurality of features of the packet statistical data is then identified. With those features, a data clustering process is applied to create a plurality of feature models, and correctness of each feature model is finally identified, to select one of the feature models as a detecting model for judging whether a new packet datum belongs to an intrusion or not. Accordingly, the correctness of the detecting model and the accuracy of the network intruding detection are based on the reliability of the data clustering process. Therefore, the correctness and accuracy thereof can be largely raised through a data clustering method with high efficiency and accuracy. Hence, there is a need of improving the conventional clustering techniques.