As web data is increasing at an exponential rate, it is impossible for safety devices to dealing with the large scale data by the traditional way. For saving the calculation and storage resources on safety devices, incremental intrusion detection algorithm becomes a research focus. It can make a good use of existed processing results on web data set. In this paper, a network anomaly detection algorithm ADIC using incremental density-based clustering is proposed. The algorithm clusters on each feature of the training data set. The properties of a cluster are described by a statistical profile. The collection of all statistical profiles on training data set is used to monitor the target system and detect intruders. The updating algorithm of insertion and is explored to adjust existing clusters and statistical profiles real-timely. Due to the density-based nature, updating operations affects the former clusters only in a small range neighborhood of the inserted or deleted training instances. Thus, our algorithm is efficient enough to meet the request of real-time detection and updating. The comparison experiment with ADWICE algorithm on KDDCUP99 reflects that our algorithm has a better performance on incremental data processing and higher detection quality.

• 出版日期2009