In order to overcome the poser that traditional immunity-based intrusion detection system usually need enough labelled data to produce antibodies that have good generalisation performance, yet it is difficult to obtain sufficient labelled data in network environment, we make in-depth study on unsupervised clustering technology and the immunity method and combine them together, then propose an immune intrusion detection algorithm based on semi-supervised clustering technology, namely SCUD (Semi-supervised cluster based Immune Intrusion Detection), in this paper. During the stage of antibodies generation the time of negative selection can be greatly shortened through clustering the self-samples, and during the stage of intrusion detection it the categories of unlabeled data can be rapidly obtained with clustering technique, and then they are used to guide the subsequent learning process so as to enhance the detection rate. Simulation results show that the proposed algorithm can obtain the types of majority unlabeled data, and can discover new attack types in circumstance of only having a little number of the labelled data, moreover, the detection rate of SCUD is higher than that of pure immunity-based method with same number of training datasets.%传统的基于免疫的入侵检测系统需要足够的标记数据才能够生成具有良好泛化性能的抗体,而网络环境中获得充足的标记数据是困难的.为克服这一难题,对无监督聚类技术及免疫方法进行深入研究,并将二者结合起来,提出一种半监督的免疫入侵检测算法SCIID(Semi-supervised cluster based Immune Intrusion Detection).在抗体产生阶段通过对自我样本进行聚类,大大缩短了阴性选择的时间;在入侵检测阶段采用聚类技术可快速获取未标记数据的类别,进而指导后续的学习过程,达到提高检测率的目的.仿真结果表明,该算法在仅有少量标记数据的情况下,可以获得大部分未标记数据的类别,而且能发现新的攻击类型,同等训练样例数目条件下检测率高于单纯基于免疫的方法.
展开▼
