Detecting Intrusion Using Recursive Clustering and Sum of Log Distance to Sub-centroid

Network security is becoming a focus in computer security research. One way to maintain the security of computer networks is using network-based Intrusion Detection System (N-IDS). Here, machine learning-based IDS has been gaining more attention than other methods for decades. In more details, feature representation is one of the methods which is used to classify data in machine learning. A small amount of good features is able to increase the accuracy of detection process and also to decrease the cost of computation; and for some cases, it gives the network administrator some idea what needs to do. Some research has been done in order to find good features. Nevertheless, it is relatively not good as represented by its accuracy.This paper proposes a new method to generate a representative feature to classify normal and anomalous connections. In this approach, two types of distance are measured and summed to generate a new feature. The first is the distance whose value is the sum of data item to cluster centers; while the second is the distance whose value is sum of log distance from data to its cluster sub-centroids. This new one-dimensional data is used to classify new data using k-nearest neighbor classifier. The experimental results, which are obtained by using a subset of KDD99 and Kyoto2006++, are relatively good in terms of accuracy and specificity, those are (99.57%, 99.75%) and (94.84%, 93.53%), respectively.