Information Technology Reference

In-Depth Information

are delay (
dur
), number of bytes sent from Source (
srcBytes
), number of bytes sent

to destination (
dstBytes
), and so on.

The numerical elements should be preprocessed to be appropriate for the

synthetic dimension reduction method. The detail of the discretization algorithm

can be refered to paper [13]. After discretization, the numerical element is turned

into a character one, and finally, the vector,
X
, will be fit for the algrithms of

similar distance calculation.

3.2 The Similar Distance Algorithm

In this paper, we regard the similarity between two network behaviors as the base to

establish an intrusion detection system. The similarity algorithm grounds on a syn-

thetic dimension reduction model in analogy reasoning. Both the contribution of the

similar elements and the dissimilar elements are taken into consider for the similarity

measurement.

Here, the N-dimensions vector (2),

L

X

=

[

x

,

x

,

,

x

]

,

(2)

1

2

n

represents a network behavior. The
x
(
i
= 1,…,
n
), is one of the elements in the vec-

tor
X
, standing for an attribute of the network behavior. The similarity between two

behaviors shows their likeness degree. For the convenience, some definitions are

listed as follows.

Definition 1. Similarity between two Behavior Vectors

X
and
Y
stand for two behavior vectors respectively, the similarity between them

can be calculated by means of formula (3).

f

(

X

I

Y

)

Sim

(

X

,

Y

)

=

,

(

α

≥

0

(3)

f

(

X

I

Y

)

+

α

•

f

(

X

−

Y

)

In formula (3), function

denotes the similarity contribution of the matched

f

(

X

I

Y

)

elements, and the function

denotes similarity contribution of the dismatched

f

(

X

−

Y

)

elements.

is a coefficient for the contribution of the dismatched elements. The

α

Sim

(

X

,

Y

)

value of

is not less than 0. Evidently, the value of

is larger than 0 and

α

less than 1.

Definition 2. Similarity between a Behavior Vectors and a Behavior Set

If set
A
is a behavior set, and
X
is a behavior vector, then the similarity between

them can be calculated by means of formula (4).

Sim

(

X

,

A

)

=

max{

Sim

(

X

,

A

),

A

∈

A

,

j

=

0

L

,

m

}

(4)

j

j

Search WWH ::

Custom Search