基于SVM的网络入侵检测研究
|
摘要
随着计算机网络技术的发展,计算机网络在交通运输领域也得到了广泛的应用。计算机网络的普及和应用,对网络安全提出了更高的要求。入侵检测作为网络安全研究的重要内容,更是引起了国内外的广泛关注。
传统的入侵检测方法存在误报、漏报及实时性差等缺点,特别是需要大量或者完备的训练数据才能达到比较理想的检测性能,并且训练时间较长。所以研究在小样本的情况下,能正确提取训练数据特征,且生成的模型具有良好的泛化性能的入侵检测方法,具有重要的理论和现实意义。
本文通过对当前入侵检测系统中检测方法所存在的一些问题的分析,结合支持向量机分类算法的特点,将支持向量机作为检测方法应用到网络入侵检测领域。
通过对传统支持向量机算法分类性能的分析,为了解决传统支持向量机生成支持向量存在重复问题,本文提出了一种自动加权支持向量机,对C-SVM改进的AW-SVM(Auto-Weighted SVM)算法。考虑到C-SVM的特点以及在入侵检测时检测攻击比检测正常数据更重要的事实,提出了WC-SVM(Weighted C-SVM)算法,在训练时对重要的类和样本加权,从而降低了对重要样本错分的可能。根据网络数据是奇异数据的特点,本文还对分类算法中的核函数进行了修改,使之能更适合网络数据的检测。
根据改进后的支持向量机算法和核函数,本文设计实现了一个基于支持向量机的入侵检测分类器,并对其效果进行了测试。测试结果表明,改进算法的训练速度和分类速度都非常快,对每条记录的处理都在毫秒级,且精度较高,普遍高于一般的分类算法。结果也表明,支持向量机算法的学习能力很强,对于新的入侵方式也有很好的效果,可以检测未知的攻击,具有较好自学习的能力。
With the development of computer network technology, in the transportation field, computer network has been extensively used. With the popularization and application of computer network, more and more attentions are being focused on the networking security, as one of the most important content of networking security, IDS attracted attentions from all over the world.
There are many defects in traditional intrusion detection methods such as false negatives, false positives etc., which need amounts of training data and long time to get good detection performance. So it is meaningful to find a method which can detect attacks by small amount training data in short time.
Through the analysis of current intrusion detection methods and characteristic of support vector machine (SVM), this paper tries to apply SVM as classifying means to network intrusion detection field.
By analyzing traditional C-SVM, we found that it is over-dependent on every training sample, even if the samples are multi-duplicate. This dependence would result in more time for training and more support vectors. More support vectors result in more time for classifying new samples. In order to overcome this dependence, we propose AW-SVM (Auto-Weighted Support Vector Machine). Considering C-SVM does not take into account the different importance of training samples, we propose a WC-SVM algorithm, it introduces weight factors of classes and importance factors of training samples to C-SVM and decreases the probability of misclassifying important samples. Combining the characteristic of network data, we revised the kernel function of SVM,
According to the changed algorithm and kernel, we designed one SVM-based classifier for intrusion detection, and tested the classifier. Experiment shows that the speed of training and classifying is very high, and it is very good and suitable for networking intrusion detection.
传统的入侵检测方法存在误报、漏报及实时性差等缺点,特别是需要大量或者完备的训练数据才能达到比较理想的检测性能,并且训练时间较长。所以研究在小样本的情况下,能正确提取训练数据特征,且生成的模型具有良好的泛化性能的入侵检测方法,具有重要的理论和现实意义。
本文通过对当前入侵检测系统中检测方法所存在的一些问题的分析,结合支持向量机分类算法的特点,将支持向量机作为检测方法应用到网络入侵检测领域。
通过对传统支持向量机算法分类性能的分析,为了解决传统支持向量机生成支持向量存在重复问题,本文提出了一种自动加权支持向量机,对C-SVM改进的AW-SVM(Auto-Weighted SVM)算法。考虑到C-SVM的特点以及在入侵检测时检测攻击比检测正常数据更重要的事实,提出了WC-SVM(Weighted C-SVM)算法,在训练时对重要的类和样本加权,从而降低了对重要样本错分的可能。根据网络数据是奇异数据的特点,本文还对分类算法中的核函数进行了修改,使之能更适合网络数据的检测。
根据改进后的支持向量机算法和核函数,本文设计实现了一个基于支持向量机的入侵检测分类器,并对其效果进行了测试。测试结果表明,改进算法的训练速度和分类速度都非常快,对每条记录的处理都在毫秒级,且精度较高,普遍高于一般的分类算法。结果也表明,支持向量机算法的学习能力很强,对于新的入侵方式也有很好的效果,可以检测未知的攻击,具有较好自学习的能力。
With the development of computer network technology, in the transportation field, computer network has been extensively used. With the popularization and application of computer network, more and more attentions are being focused on the networking security, as one of the most important content of networking security, IDS attracted attentions from all over the world.
There are many defects in traditional intrusion detection methods such as false negatives, false positives etc., which need amounts of training data and long time to get good detection performance. So it is meaningful to find a method which can detect attacks by small amount training data in short time.
Through the analysis of current intrusion detection methods and characteristic of support vector machine (SVM), this paper tries to apply SVM as classifying means to network intrusion detection field.
By analyzing traditional C-SVM, we found that it is over-dependent on every training sample, even if the samples are multi-duplicate. This dependence would result in more time for training and more support vectors. More support vectors result in more time for classifying new samples. In order to overcome this dependence, we propose AW-SVM (Auto-Weighted Support Vector Machine). Considering C-SVM does not take into account the different importance of training samples, we propose a WC-SVM algorithm, it introduces weight factors of classes and importance factors of training samples to C-SVM and decreases the probability of misclassifying important samples. Combining the characteristic of network data, we revised the kernel function of SVM,
According to the changed algorithm and kernel, we designed one SVM-based classifier for intrusion detection, and tested the classifier. Experiment shows that the speed of training and classifying is very high, and it is very good and suitable for networking intrusion detection.
引文
[1] Vapnik VN,统计学习理论的本质,张学工,第二版,清华大学出版社,2000
[2] 边肇祺 张学工,模式识别,第二版,2001,清华大学出版社,P234-304
[3] 史忠植,知识发现,第一版,2002,清华大学出版社,P203-213
[4] Stephen Northcutt 等,入侵特征与分析,林琪,第一版,2002,中国电力出版社
[5] 戴英霞 连一峰 王航,系统安全与入侵检测,第一版,2002,清华大学出版社,P13-97
[6] 韩东海 王超 李群,入侵检测系统实例部析,第一版,2002,清华大学出版社,P1-27
[7] Jon C.Snader,高级TCP/IP编程,刘江林,第一版,2001,清华大学出版社
[8] 张海勇,入侵检测系统实现及神经网络应用研究,北京工业大学,硕士论文,2002
[9] 陈桂清,Windows环境下的网络攻击与检测,广东工业大学,硕士论文,2003
[10] 李效锋,符合CIDF标准的入侵检测系统,浙江大学,硕士论文,2002
[11] 李晓莺,个人入侵检测系统的研究与实现,中国工程物理研究所,硕士论文,2002
[12] 李攀,基于模式匹配的入侵检测系统,西安建筑科技大学,硕士论文,2000
[13] 姚灏,基于模式匹配的入侵检测系统——MIDS的设计与实现,电子科技大学,硕士论文,2002
[14] 程圣宇,基于网络的入侵检测系统的研究与实现,电子科技大学,硕士论文,2002
[15] 郭建龙,基于自适应策略的入侵检测系统研究,国防科技大学,硕士论文,2002
[16] 张剑,网络安全防御系统的设计与实现,电子科技大学,硕士论文,2001
[17] 周梦醒,网络入侵检测技术研究和设计实现,电子科技大学,硕士论文,2002
[18] 忻栋,支持向量机算法的研究及在说话人识别上的应用,浙江大学,硕士
论文,2002,P1-22
[19] 孙丽华,中文文本分类的研究,哈尔滨工程大学,硕士论文,2002,P13-41
[20] 范昕炜,支持向量机算法的研究及其应用,浙江大学,博士论文,2003,P1-30
[21] 王宏漫 欧宗英,支持向量机在人脸识别中的应用,计算机工程,2003,11
[22] 王国胜 钟义信,支持向量机的若干新进展,电子学报,2001,10
[23] 叶晨洲 扬杰等,统计学习理论的原理与应用,计算机与应用化学,2002,6
[24] 萧嵘 王继成等,支持向量机理论综述,计算机科学,2000,3
[25] 张绍武 潘泉,基于支持向量机和贝叶斯方法的蛋白质四级分类研究,通信学报,2002,5
[26] 饶鲜等,应用支持向量机实现计算机入侵检测,西安电子科技大学学报,2003,3
[27] 李昆仑等,入侵检测的1类支持向量机模型,中国安全科学学报,2003,6
[28] 张学工,关于统计学习理论与支持向量机,自动化学报,2000,1
[29] Forrest S, Perrelason A S, Self-nonself Discrimination in a Computer, Proceedings of the 1994 IEEE Symposium On Security and privacy, 1997, P202-212
[30] Lee.W Xiang D., Information theoretic Measures for Anomaly Detection, The Symposium on Security and Privacy, 2001, P130-143
[31] Chih-Chung Chang chih-Jen Lin, LIBSVM: a Library for Support Vector Machines, http://www.csie.ntu.edu.tw/~cjlin/, 2002
[32] Chih-Chung Chang chih-Jen Lin, A Practical Guide to Support Vector Classification, http://www.csie.ntu.edu.tw/~cjlin/, 2002
[33] Srinivas Mukkamale etc., Intrusion Detection Using Neural Networks and Support Vector Machines, IEEE, 2002
[34] Tarun Ambwani, Multi Calss Support Vector Machine Implementation To Intrusion Detection, IEEE, 2003
[35] Srinivas Mukkamale etc., Intrusion Detection Using Support Vector Machines
[36] Dong Seong Kim etc., Network-Based Intrusion Detection with Support Vector Machines
[37] Srinivas Mukkamale etc., Intrusion Detection System Using Adaptive Regression Splines
[38] Chris Sinclair etc., An Application of Machine Learning to Network Intrusion Detection
[39] Luca Didaci etc., Ensemble Learning for Intrusion Detection in Computer Networks
[40] John S. Baras and Maben Rabi, Intrusion Detection with Support Vector Machines and Generative Models
[41] Binh Viet Nguyen, An Application of Support Vector Machines to Anomaly Detection
[42] Srinivas Mukkamale etc., Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques, International Journal of Digital Evidence, 2003, 1
[43] Binh Viet Nguyen, Introduction to Support Vector Machines and application to the computer security domain of anomaly detection, http://www.math.ohiou.edu/~vnguyen, 2001
[44] Bernard Haasdonk, Tangent Distance Kernels for Support Vector Machines, 16th Int. ICPR, 2002, 2
[45] Anup K Ghosh, Aaron Schwartzbard, A study in using neural netwroks for anomaly and misuse detection 1, The 8th USENIX Security Symposium, 1999
[46] B Balajinath, S V Raghavanl, Intrusion detection through learning behavior model, Computer Communication, 2001,24(12), P202-212
[47] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[48] Wenke Lee S J Stolfo K W Mok,A data mining framework for building intrusion detection models, The 1999 IEEE Symposium on Security and Privacy, CA, 1999
[49] Bernhand Scholkopf John C Plattz, Estimating the support of a high dimensional distribution, Neural Computation, 2001,13(7): 1443~1472
[50] Bernhand Scholkopf, The kernel trick for distance, Microsoft Research, Tech Rep: MSR2TR22000251, 2000
[2] 边肇祺 张学工,模式识别,第二版,2001,清华大学出版社,P234-304
[3] 史忠植,知识发现,第一版,2002,清华大学出版社,P203-213
[4] Stephen Northcutt 等,入侵特征与分析,林琪,第一版,2002,中国电力出版社
[5] 戴英霞 连一峰 王航,系统安全与入侵检测,第一版,2002,清华大学出版社,P13-97
[6] 韩东海 王超 李群,入侵检测系统实例部析,第一版,2002,清华大学出版社,P1-27
[7] Jon C.Snader,高级TCP/IP编程,刘江林,第一版,2001,清华大学出版社
[8] 张海勇,入侵检测系统实现及神经网络应用研究,北京工业大学,硕士论文,2002
[9] 陈桂清,Windows环境下的网络攻击与检测,广东工业大学,硕士论文,2003
[10] 李效锋,符合CIDF标准的入侵检测系统,浙江大学,硕士论文,2002
[11] 李晓莺,个人入侵检测系统的研究与实现,中国工程物理研究所,硕士论文,2002
[12] 李攀,基于模式匹配的入侵检测系统,西安建筑科技大学,硕士论文,2000
[13] 姚灏,基于模式匹配的入侵检测系统——MIDS的设计与实现,电子科技大学,硕士论文,2002
[14] 程圣宇,基于网络的入侵检测系统的研究与实现,电子科技大学,硕士论文,2002
[15] 郭建龙,基于自适应策略的入侵检测系统研究,国防科技大学,硕士论文,2002
[16] 张剑,网络安全防御系统的设计与实现,电子科技大学,硕士论文,2001
[17] 周梦醒,网络入侵检测技术研究和设计实现,电子科技大学,硕士论文,2002
[18] 忻栋,支持向量机算法的研究及在说话人识别上的应用,浙江大学,硕士
论文,2002,P1-22
[19] 孙丽华,中文文本分类的研究,哈尔滨工程大学,硕士论文,2002,P13-41
[20] 范昕炜,支持向量机算法的研究及其应用,浙江大学,博士论文,2003,P1-30
[21] 王宏漫 欧宗英,支持向量机在人脸识别中的应用,计算机工程,2003,11
[22] 王国胜 钟义信,支持向量机的若干新进展,电子学报,2001,10
[23] 叶晨洲 扬杰等,统计学习理论的原理与应用,计算机与应用化学,2002,6
[24] 萧嵘 王继成等,支持向量机理论综述,计算机科学,2000,3
[25] 张绍武 潘泉,基于支持向量机和贝叶斯方法的蛋白质四级分类研究,通信学报,2002,5
[26] 饶鲜等,应用支持向量机实现计算机入侵检测,西安电子科技大学学报,2003,3
[27] 李昆仑等,入侵检测的1类支持向量机模型,中国安全科学学报,2003,6
[28] 张学工,关于统计学习理论与支持向量机,自动化学报,2000,1
[29] Forrest S, Perrelason A S, Self-nonself Discrimination in a Computer, Proceedings of the 1994 IEEE Symposium On Security and privacy, 1997, P202-212
[30] Lee.W Xiang D., Information theoretic Measures for Anomaly Detection, The Symposium on Security and Privacy, 2001, P130-143
[31] Chih-Chung Chang chih-Jen Lin, LIBSVM: a Library for Support Vector Machines, http://www.csie.ntu.edu.tw/~cjlin/, 2002
[32] Chih-Chung Chang chih-Jen Lin, A Practical Guide to Support Vector Classification, http://www.csie.ntu.edu.tw/~cjlin/, 2002
[33] Srinivas Mukkamale etc., Intrusion Detection Using Neural Networks and Support Vector Machines, IEEE, 2002
[34] Tarun Ambwani, Multi Calss Support Vector Machine Implementation To Intrusion Detection, IEEE, 2003
[35] Srinivas Mukkamale etc., Intrusion Detection Using Support Vector Machines
[36] Dong Seong Kim etc., Network-Based Intrusion Detection with Support Vector Machines
[37] Srinivas Mukkamale etc., Intrusion Detection System Using Adaptive Regression Splines
[38] Chris Sinclair etc., An Application of Machine Learning to Network Intrusion Detection
[39] Luca Didaci etc., Ensemble Learning for Intrusion Detection in Computer Networks
[40] John S. Baras and Maben Rabi, Intrusion Detection with Support Vector Machines and Generative Models
[41] Binh Viet Nguyen, An Application of Support Vector Machines to Anomaly Detection
[42] Srinivas Mukkamale etc., Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques, International Journal of Digital Evidence, 2003, 1
[43] Binh Viet Nguyen, Introduction to Support Vector Machines and application to the computer security domain of anomaly detection, http://www.math.ohiou.edu/~vnguyen, 2001
[44] Bernard Haasdonk, Tangent Distance Kernels for Support Vector Machines, 16th Int. ICPR, 2002, 2
[45] Anup K Ghosh, Aaron Schwartzbard, A study in using neural netwroks for anomaly and misuse detection 1, The 8th USENIX Security Symposium, 1999
[46] B Balajinath, S V Raghavanl, Intrusion detection through learning behavior model, Computer Communication, 2001,24(12), P202-212
[47] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
[48] Wenke Lee S J Stolfo K W Mok,A data mining framework for building intrusion detection models, The 1999 IEEE Symposium on Security and Privacy, CA, 1999
[49] Bernhand Scholkopf John C Plattz, Estimating the support of a high dimensional distribution, Neural Computation, 2001,13(7): 1443~1472
[50] Bernhand Scholkopf, The kernel trick for distance, Microsoft Research, Tech Rep: MSR2TR22000251, 2000