Building multiple behavioral models for network intrusion identification
Résumé
In stead of only profiling normal behavior for network anomaly intrusion, in this paper, we not only build normal behavioral models, but also establish individual attack behavioral models for network intrusion identification. Normal behavioral model is built based on normal data and individual attack behavioral models are built based on individual attack data. K-Nearest Neighbor (kNN) and Principal Component Analysis (PCA) are used for identifying network intrusions based on the multiple behavioral models. The methods and the models are tested with KDD 99 data sets and testing results show that the two methods are promising in terms of identification accuracy. Some merits as well as limitations of the two methods for intrusion identification are also discussed and analyzed.