Information Technology Reference
In-Depth Information
are delay ( dur ), number of bytes sent from Source ( srcBytes ), number of bytes sent
to destination ( dstBytes ), and so on.
The numerical elements should be preprocessed to be appropriate for the
synthetic dimension reduction method. The detail of the discretization algorithm
can be refered to paper . After discretization, the numerical element is turned
into a character one, and finally, the vector, X , will be fit for the algrithms of
similar distance calculation.
3.2 The Similar Distance Algorithm
In this paper, we regard the similarity between two network behaviors as the base to
establish an intrusion detection system. The similarity algorithm grounds on a syn-
thetic dimension reduction model in analogy reasoning. Both the contribution of the
similar elements and the dissimilar elements are taken into consider for the similarity
measurement.
Here, the N-dimensions vector (2),
L
X
=
[
x
,
x
,
,
x
]
,
(2)
1
2
n
represents a network behavior. The x ( i = 1,…, n ), is one of the elements in the vec-
tor X , standing for an attribute of the network behavior. The similarity between two
behaviors shows their likeness degree. For the convenience, some definitions are
listed as follows.
Definition 1. Similarity between two Behavior Vectors
X and Y stand for two behavior vectors respectively, the similarity between them
can be calculated by means of formula (3).
f
(
X
I
Y
)
Sim
(
X
,
Y
)
=
,
(
α
0
(3)
f
(
X
I
Y
)
+
α
f
(
X
Y
)
In formula (3), function
denotes the similarity contribution of the matched
f
(
X
I
Y
)
elements, and the function
denotes similarity contribution of the dismatched
f
(
X
Y
)
elements.
is a coefficient for the contribution of the dismatched elements. The
α
Sim
(
X
,
Y
)
value of
is not less than 0. Evidently, the value of
is larger than 0 and
α
less than 1.
Definition 2. Similarity between a Behavior Vectors and a Behavior Set
If set A is a behavior set, and X is a behavior vector, then the similarity between
them can be calculated by means of formula (4).
Sim
(
X
,
A
)
=
max{
Sim
(
X
,
A
),
A
A
,
j
=
0
L
,
m
}
(4)
j
j             Search WWH ::

Custom Search