An integrated approach to network intrusion detection with block clustering analysis, Generalised logistic regression and linear discriminant analysis

The objective of this study is to develop an integrated modelling approach to network intrusion detection with three multivariate statistical methods: Block Clustering (BC) Analysis, Generalised Logistic Regression (GLR) and Linear Discriminant Analysis (LDA). A pipeline processing strategy with BC followed by either GLR or LDA is attempted in order to automate the intrusion detection process. The preliminary testing results show that the integration of BC and LDA is very promising, but that of BC and GLR is uncertain. Essentially, BC offers a classification algorithm, and LDA or GLR further assesses the results pipelined from BC and enables a judgement to be made (e.g., intrusive, suspicious, or normal). Although clustering techniques have been widely utilised for intrusion detection from the very beginning of the field, to the best of our knowledge, BC has not been applied in intrusion detection or computer science previously. The two-way joining strategy of BC in cluster detection is especially desirable for intrusion detection since information from both data cases and variables (features) are synthesised to form block clusters, while other clustering methods often only consider information from either data cases or variables. The paper also discusses the justification for our choice of the three statistical methods. The choice is largely determined by two of the most obvious properties of intrusion audit data: most variables in intrusion detection data are categorical, rather than continuous; the probability distributions of these variables usually are not normally distributed. In perspective, we suggest that the integration of BC with Independent Component Analysis (ICA) (which has been successfully utilised in speech recognition, brain imaging and intrusion detection in combination with other statistical methods) is likely to offer a mutually complementary approach. We further suggest that the integration of the approach developed in this paper with Multidimensional Scaling (MDS) may produce an effective technology for building visualised real-time intrusion detection systems. Copyright © 2010 Inderscience Enterprises Ltd.