支持向量机在入侵检测系统中的研究和应用
|
摘要
入侵检测作为一种主动防御技术,弥补了传统安全技术的不足。但由于入侵手段的复杂性和多样性,至今仍然没有找到入侵行为与网络连接信息数据特征之间的函数关系,机器学习正是试图对这种函数关系进行逼近和估计的有效方法。
支持向量机(SVM)是一种建立在统计学习理论基础之上的机器学习方法,能较好地解决有限样本、非线性、高维数、局部极小点等问题。将支持向量机方法用于入侵检测,可以获取较好的检测性能。
本文在深入研究支持向量机理论及其应用的基础上,提出了一个基于支持向量机的分类器模型,并将该模型进行完善,应用于入侵检测。结合入侵检测的CIDF结构,进一步提出基于支持向量机的入侵检测系统模型,该模型主要包括网络数据捕获模块、网络连接信息提取模块、数据预处理模块、SVM训练模块、SVM支持向量库、事件日志库和输出及响应模块等,并针对各模块功能进行阐述。
本文在深入研究支持向量机各种算法和核函数选择的基础上,改进已有算法,选择不同的核函数,调整参数,使其达到最好分类效果,并实现支持向量机的两类分类和多类分类,利用已有数据验证了算法的优越性。本文用主成分分析、因子分析等统计方法对原数据进行降维处理,在此基础上,提出了一种新的特征提取和选择方法,即基于自适应特征加权的特征提取和选择方法,并将此方法运用于数据特征的提取和选择。本文将支持向量机与基于自适应特征加权的特征选择两种算法结合起来,用于入侵检测。实验证明,不论是两类分类还是多类分类,采用新的算法,分类精度有了明显提高,同时,训练时间和测试时间也有不同程度的改善,特别是训练时间,大幅提高了系统性能。另外,自适应特征加权是对训练数据样本进行因子分析,直接得到特征加权系数,改变了以往参数试值的局面,简单易行。
Intrusion detection system (IDS), which is an active defense technology, bridges a gap to classical defense system.However, because of the complexity and variety of intrusion, at present, the function relation between intrusion and data feature of network link information has not been found. It is lerning machine that try to approximate the function relation.
Support vector machine (SVM) is a learning machine based on statistic learning theory. It can solve many problems, such as limited sample, nonlinear space, high dimension, local extremum and so on. We put the SVM into IDS, and it can get better detection effect.
Based on the deep research to support vector machine theory and its application, we present a classification model based on SVM. Improve this model, and put it into IDS. In combination with IDS' CIDF structure, we present IDS'model based on SVM further. This model includes network data capture module, network link information module, data precondition module, SVM training module, SVM support vector base, event log base and response module.
Based on the deep research to series of SVM algorithm and kernel function selection, we improve visible algorithm, select suitable kernel function, adjust parameter, and make it get the best effect. Then, we complish the SVM's binary classification and multi-class classification, take experiment and prove the superiority of SVM classification using KDD CUP'99 data set. In this paper we do dimension reduction to original data with suitable statistical method, such as principal component analysis and factor analysis. On this base, we have presented adaptive feature weighted SVM and put it into data feature selection. In this paper we conbine two algorithm, and put them into our model. Experiment result shows that detection precision has rised obviously, meanwhile, the training time and the test time have also improved variously for both binary classification and multi-class classification. Especially, the training time has reduced sharply. Thus, the system performance has promoted accordingly. On the other hand, adaptive feature weighted, according to factor analysis for training data samples, can get feature weighted factors directly. It has varied the situation of parameter trying. So it makes the process simply.
支持向量机(SVM)是一种建立在统计学习理论基础之上的机器学习方法,能较好地解决有限样本、非线性、高维数、局部极小点等问题。将支持向量机方法用于入侵检测,可以获取较好的检测性能。
本文在深入研究支持向量机理论及其应用的基础上,提出了一个基于支持向量机的分类器模型,并将该模型进行完善,应用于入侵检测。结合入侵检测的CIDF结构,进一步提出基于支持向量机的入侵检测系统模型,该模型主要包括网络数据捕获模块、网络连接信息提取模块、数据预处理模块、SVM训练模块、SVM支持向量库、事件日志库和输出及响应模块等,并针对各模块功能进行阐述。
本文在深入研究支持向量机各种算法和核函数选择的基础上,改进已有算法,选择不同的核函数,调整参数,使其达到最好分类效果,并实现支持向量机的两类分类和多类分类,利用已有数据验证了算法的优越性。本文用主成分分析、因子分析等统计方法对原数据进行降维处理,在此基础上,提出了一种新的特征提取和选择方法,即基于自适应特征加权的特征提取和选择方法,并将此方法运用于数据特征的提取和选择。本文将支持向量机与基于自适应特征加权的特征选择两种算法结合起来,用于入侵检测。实验证明,不论是两类分类还是多类分类,采用新的算法,分类精度有了明显提高,同时,训练时间和测试时间也有不同程度的改善,特别是训练时间,大幅提高了系统性能。另外,自适应特征加权是对训练数据样本进行因子分析,直接得到特征加权系数,改变了以往参数试值的局面,简单易行。
Intrusion detection system (IDS), which is an active defense technology, bridges a gap to classical defense system.However, because of the complexity and variety of intrusion, at present, the function relation between intrusion and data feature of network link information has not been found. It is lerning machine that try to approximate the function relation.
Support vector machine (SVM) is a learning machine based on statistic learning theory. It can solve many problems, such as limited sample, nonlinear space, high dimension, local extremum and so on. We put the SVM into IDS, and it can get better detection effect.
Based on the deep research to support vector machine theory and its application, we present a classification model based on SVM. Improve this model, and put it into IDS. In combination with IDS' CIDF structure, we present IDS'model based on SVM further. This model includes network data capture module, network link information module, data precondition module, SVM training module, SVM support vector base, event log base and response module.
Based on the deep research to series of SVM algorithm and kernel function selection, we improve visible algorithm, select suitable kernel function, adjust parameter, and make it get the best effect. Then, we complish the SVM's binary classification and multi-class classification, take experiment and prove the superiority of SVM classification using KDD CUP'99 data set. In this paper we do dimension reduction to original data with suitable statistical method, such as principal component analysis and factor analysis. On this base, we have presented adaptive feature weighted SVM and put it into data feature selection. In this paper we conbine two algorithm, and put them into our model. Experiment result shows that detection precision has rised obviously, meanwhile, the training time and the test time have also improved variously for both binary classification and multi-class classification. Especially, the training time has reduced sharply. Thus, the system performance has promoted accordingly. On the other hand, adaptive feature weighted, according to factor analysis for training data samples, can get feature weighted factors directly. It has varied the situation of parameter trying. So it makes the process simply.
引文
[1]曹元大.入侵检测技术[M].北京:人民邮电出版社,2007.
[2]郑成兴.网络入侵防范的理论与实践[M].北京:机械工业出版社,2006.
[3]唐正军.入侵检测技术导论[M].北京:机械工业出版社,2004.
[4]杨义先,钮心忻.入侵检测理论与技术[M].北京:高等教育出版社,2006.
[5]唐正军,李建华.入侵检测技术[M].北京:清华大学出版社,2004.
[6]杨志民,刘广利.不确定性支持向量机原理及应用[M].北京:科学出版社,2007.
[7](英)Nello Cristianini,(英)John Shawe-Taylor.支持向量机导论[M].北京:电子工业出版社,2004.
[8]边肇祺.模式识别[M].北京:清华大学出版社,2000.
[9]杨淑莹.模式识别与智能计算[M].北京:电子工业出版社,2008.
[10](美)Richard O. Duda, Peter E. Hart, David G. Stork..模式分类[M].北京:机械工业出版社,中信出版社,2003.
[11]向东进.实用多元统计分析[M].武汉:中国地质大学出版社,2005.
[12]王学民.应用多元分析[M].上海:上海财经大学出版社,2009.
[13]朱建平.应用多元统计分析[M].北京:科学出版社,2006.
[14]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005.
[15]李昆仑,黄厚宽,田盛丰等.模糊多类支持向量机及其在入侵检测中的应用[J].计算机学报2005.2.
[16]王国君,岳志强.支持向量机在入侵检测中的应用研究[J].计算机与信息技术,2008.7.
[17]孙德山.支持向量机分类与回归算法的关系研究[J].计算机应用与软件,2008.2.
[18]张楠,范玉妹.关于支持向量机几何算法的研究[J].计算机技术与发展,2007.1.
[19]张昆,曹宏鑫,严悍等.支持向量机在网络异常检测中的应用[J].计算机应用研究,2006.
[20]张晓惠,林柏钢.基于特征选择和多分类支持向量机的异常检测[J].通信学报,2009.10:68-72
[21]朱芳芳,王士同,李志华.基于加权支持向量机的网络入侵检测研究[J].计算机工程与设计,2007.11:
[22]贾银山.支持向量机算法及其在网络入侵检测中的应用[D].大连:大连海事大学,2004.
[23]董春曦.支持向量机及其在入侵检测中的应用研究[D].西安:西安电子科技大学,2004.
[24]李忠伟.支持向量机学习算法研究[D].哈尔滨:哈尔滨工程大学,2006
[25]王朝勇.支持向量机若干算法研究及应用[D].长春:吉林大学,2008.
[26]罗林开.支持向量机的核选择[D].厦门:厦门大学,2007.
[27]唐发明.基于统计学习理论的支持向量机算法研究[D].武汉:华中科技大学,2005.
[28]罗瑜.支持向量机在机器学习中的应用研究[D].成都:西南交通大学,2007.
[29]周轼.基于多类支持向量机的入侵检测系统研究[D].南京:南京航空航天大学,2008.
[30]曹宏鑫.基于SVM的网络入侵检测研究[D].南京:南京理工大学,2004.
[31]袁正.基于80M及K均值聚类方法的分布式入侵检测模型的研究[D].天津:天津理工大学,2008.
[32]刘亭.基于统计学习的鱼龄识别方法的研究[D].天津:天津理工大学,2008.
[33]钟时.基于支持向量机的入侵检测系统的研究[D].长春:吉林大学,2008.
[34]张楠.关于支持向量机中的参数优化的研究[D].西安:西北大学,2008.
[35]程学云.支持向量机及其在入侵检测中的应用研究[D].南京:南京师范大学,2007.
[36]Dong Seong Kim, Ha-Nam Nguyen, Jong Sou Park. Genetic algorithm to improve SVM based network intrusion detection system[C]. Advanced Information Networking and Applications,2005. AINA 2005.19th International Conference onVolume 2,28-30 March 2005 Page(s):155-158 vol.2
[37]Yuan-Cheng Li, Zhong-Qiang Wang. An intrusion detection method based on SVM and KPCA[C]. Wavelet Analysis and Pattern Recognition,2007.ICWAPR'07. International Conference onVolume 4,2-4 Nov.2007 Page(s):1462-1466
[38]Rung-Ching Chen, Kai-Fan Cheng, Ying-Hao Chen. Using Rough Set and Support Vector Machine for Network Intrusion Detection System[C]. Intelligent Information and Database Systems,2009. ACIIDS 2009. First Asian Conference on 1-3 April 2009 Page(s):465-470
[39]Xiao Haijun, Peng Fang, Wang Ling. Ad hoc-based feature selection and support vector machine classifier for intrusion detection[C].Grey Systems and Intelligent Services, 2007. GSIS 2007. IEEE International Conference on 18-20 Nov.2007 Page(s):1117-1121
[40]Zhang Xue-qin, Gu Chun-hua, Lin Jia-jin. Intrusion Detection System Based on Feature Selection and Support Vector Machine[C]. Communications and Networking in China,2006. ChinaCom'06. First International Conference on 25-27 Oct.2006 Page(s):1-5
[41]Yuancheng Li, Zhongqiang Wang, Yinglong Ma. An intrusion detection method based on KICA and SVM[C]. Intelligent Control and Automation,2008. WCICA 2008.7th World Congress on 25-27 June 2008 Page(s):2141-2144
[42]Mukkamala S., Sung A. H.. A comparative study of techniques for intrusion detection[C]. Tools with Artificial Intelligence,2003. Proceedings.15th IEEE International Conference on 3-5 Nov.2003 Page(s):570-577
[43]Gang Zhang, Jian Yin, Zhaohui Liang. Prior Knowledge SVM-based Intrusion Detection Framework[C]. Natural Computation,2007. ICNC 2007. Third International Conference on Volume 2,24-27 Aug.2007 Page (s):489-493
[44]Dayu Yang, Hairong Qi. A network intrusion detection method using independent component analysis[C]. Pattern Recognition,2008. ICPR 2008.19th International Conference on 8-11 Dec.2008 Page(s):1-4
[45]Mukkamala S., Sung A. H.. Artificial intelligent techniques for intrusion detection[C].Systems, Man and Cybernetics,2003. IEEE International Conference on Volume 2,5-8 Oct.2003 Page(s):1266-1271 vol.
[2]郑成兴.网络入侵防范的理论与实践[M].北京:机械工业出版社,2006.
[3]唐正军.入侵检测技术导论[M].北京:机械工业出版社,2004.
[4]杨义先,钮心忻.入侵检测理论与技术[M].北京:高等教育出版社,2006.
[5]唐正军,李建华.入侵检测技术[M].北京:清华大学出版社,2004.
[6]杨志民,刘广利.不确定性支持向量机原理及应用[M].北京:科学出版社,2007.
[7](英)Nello Cristianini,(英)John Shawe-Taylor.支持向量机导论[M].北京:电子工业出版社,2004.
[8]边肇祺.模式识别[M].北京:清华大学出版社,2000.
[9]杨淑莹.模式识别与智能计算[M].北京:电子工业出版社,2008.
[10](美)Richard O. Duda, Peter E. Hart, David G. Stork..模式分类[M].北京:机械工业出版社,中信出版社,2003.
[11]向东进.实用多元统计分析[M].武汉:中国地质大学出版社,2005.
[12]王学民.应用多元分析[M].上海:上海财经大学出版社,2009.
[13]朱建平.应用多元统计分析[M].北京:科学出版社,2006.
[14]刘文涛.网络安全开发包详解[M].北京:电子工业出版社,2005.
[15]李昆仑,黄厚宽,田盛丰等.模糊多类支持向量机及其在入侵检测中的应用[J].计算机学报2005.2.
[16]王国君,岳志强.支持向量机在入侵检测中的应用研究[J].计算机与信息技术,2008.7.
[17]孙德山.支持向量机分类与回归算法的关系研究[J].计算机应用与软件,2008.2.
[18]张楠,范玉妹.关于支持向量机几何算法的研究[J].计算机技术与发展,2007.1.
[19]张昆,曹宏鑫,严悍等.支持向量机在网络异常检测中的应用[J].计算机应用研究,2006.
[20]张晓惠,林柏钢.基于特征选择和多分类支持向量机的异常检测[J].通信学报,2009.10:68-72
[21]朱芳芳,王士同,李志华.基于加权支持向量机的网络入侵检测研究[J].计算机工程与设计,2007.11:
[22]贾银山.支持向量机算法及其在网络入侵检测中的应用[D].大连:大连海事大学,2004.
[23]董春曦.支持向量机及其在入侵检测中的应用研究[D].西安:西安电子科技大学,2004.
[24]李忠伟.支持向量机学习算法研究[D].哈尔滨:哈尔滨工程大学,2006
[25]王朝勇.支持向量机若干算法研究及应用[D].长春:吉林大学,2008.
[26]罗林开.支持向量机的核选择[D].厦门:厦门大学,2007.
[27]唐发明.基于统计学习理论的支持向量机算法研究[D].武汉:华中科技大学,2005.
[28]罗瑜.支持向量机在机器学习中的应用研究[D].成都:西南交通大学,2007.
[29]周轼.基于多类支持向量机的入侵检测系统研究[D].南京:南京航空航天大学,2008.
[30]曹宏鑫.基于SVM的网络入侵检测研究[D].南京:南京理工大学,2004.
[31]袁正.基于80M及K均值聚类方法的分布式入侵检测模型的研究[D].天津:天津理工大学,2008.
[32]刘亭.基于统计学习的鱼龄识别方法的研究[D].天津:天津理工大学,2008.
[33]钟时.基于支持向量机的入侵检测系统的研究[D].长春:吉林大学,2008.
[34]张楠.关于支持向量机中的参数优化的研究[D].西安:西北大学,2008.
[35]程学云.支持向量机及其在入侵检测中的应用研究[D].南京:南京师范大学,2007.
[36]Dong Seong Kim, Ha-Nam Nguyen, Jong Sou Park. Genetic algorithm to improve SVM based network intrusion detection system[C]. Advanced Information Networking and Applications,2005. AINA 2005.19th International Conference onVolume 2,28-30 March 2005 Page(s):155-158 vol.2
[37]Yuan-Cheng Li, Zhong-Qiang Wang. An intrusion detection method based on SVM and KPCA[C]. Wavelet Analysis and Pattern Recognition,2007.ICWAPR'07. International Conference onVolume 4,2-4 Nov.2007 Page(s):1462-1466
[38]Rung-Ching Chen, Kai-Fan Cheng, Ying-Hao Chen. Using Rough Set and Support Vector Machine for Network Intrusion Detection System[C]. Intelligent Information and Database Systems,2009. ACIIDS 2009. First Asian Conference on 1-3 April 2009 Page(s):465-470
[39]Xiao Haijun, Peng Fang, Wang Ling. Ad hoc-based feature selection and support vector machine classifier for intrusion detection[C].Grey Systems and Intelligent Services, 2007. GSIS 2007. IEEE International Conference on 18-20 Nov.2007 Page(s):1117-1121
[40]Zhang Xue-qin, Gu Chun-hua, Lin Jia-jin. Intrusion Detection System Based on Feature Selection and Support Vector Machine[C]. Communications and Networking in China,2006. ChinaCom'06. First International Conference on 25-27 Oct.2006 Page(s):1-5
[41]Yuancheng Li, Zhongqiang Wang, Yinglong Ma. An intrusion detection method based on KICA and SVM[C]. Intelligent Control and Automation,2008. WCICA 2008.7th World Congress on 25-27 June 2008 Page(s):2141-2144
[42]Mukkamala S., Sung A. H.. A comparative study of techniques for intrusion detection[C]. Tools with Artificial Intelligence,2003. Proceedings.15th IEEE International Conference on 3-5 Nov.2003 Page(s):570-577
[43]Gang Zhang, Jian Yin, Zhaohui Liang. Prior Knowledge SVM-based Intrusion Detection Framework[C]. Natural Computation,2007. ICNC 2007. Third International Conference on Volume 2,24-27 Aug.2007 Page (s):489-493
[44]Dayu Yang, Hairong Qi. A network intrusion detection method using independent component analysis[C]. Pattern Recognition,2008. ICPR 2008.19th International Conference on 8-11 Dec.2008 Page(s):1-4
[45]Mukkamala S., Sung A. H.. Artificial intelligent techniques for intrusion detection[C].Systems, Man and Cybernetics,2003. IEEE International Conference on Volume 2,5-8 Oct.2003 Page(s):1266-1271 vol.