(ProQuest: ... denotes formulae omitted.)

I. INTRODUCTION

With the number of intrusion and hacking incidents around the world on the rise, the importance of having dependable intrusion detection systems in place is greater than ever. An intrusion detection system is designed to detect several types of abnormal behaviors that can compromise the security and trust of a computer system.

Now the main intrusion detection technology is divided into two categories: misuse detection [1-2] and anomaly detection [3-7]. Misuse detection encodes the known attacks into the signatures and detects attacks whose signatures are known and have been encoded. Intrusion detection system based on misuse detection can not detect unknown attacks. The process of signing attacks is enormous cost for systems. Unlike misuse detection, anomaly detection builds the normality profiles on the basis of normal behaviors of users, often using machine learning or data mining techniques. In the process of detection, online traffic is matched with the normality profiles, and deviations are marked as anomalies. Since no knowledge of attacks is used to train the normality profiles, anomaly detection can detect previously unknown attacks. Therefore anomaly detection is hotspot in the field of intrusion detection.

Many popular technologies are applied in the field of anomaly detection. Clustering algorithm [21-23] is a successful application in the field of anomaly detection. Density clustering [9-12] and hierarchical clustering [12- 15] are two outstanding representative kinds of clustering algorithms. Density clustering can build arbitrary shape cluster, but calculation is too complex. Hierarchical clustering has good efficiency and is easy to implement incremental algorithm, but only build spherical cluster. So profiles of hierarchical are generally less precise than profiles of density clustering.

Moreover, the growth of network flow makes the real time of anomaly...