CN101594361A - Network Intrusion Detection System based on shortcut calculation of support vector machine - Google Patents
Network Intrusion Detection System based on shortcut calculation of support vector machine Download PDFInfo
- Publication number
- CN101594361A CN101594361A CNA2009100993460A CN200910099346A CN101594361A CN 101594361 A CN101594361 A CN 101594361A CN A2009100993460 A CNA2009100993460 A CN A2009100993460A CN 200910099346 A CN200910099346 A CN 200910099346A CN 101594361 A CN101594361 A CN 101594361A
- Authority
- CN
- China
- Prior art keywords
- support vector
- vector
- svm classifier
- intrusion detection
- yojan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A kind of Network Intrusion Detection System of the present invention based on shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is:
, (x wherein
i, y
i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences
iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.This system has improved the classification speed of svm classifier device by the yojan support vector, thereby makes and be greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs, guarantees false drop rate and loss that systematic comparison is low simultaneously.
Description
Technical field:
The present invention relates to a kind of Network Intrusion Detection System, relate in particular to a kind of Network Intrusion Detection System based on shortcut calculation of support vector machine.
Background technology:
Intrusion detection is to the realizing of intrusion behavior as its name suggests, it be for the safety that guarantees computer system design and dispose a kind of can in time find and reporting system in the technology of unauthorized or anomaly.The handled data of network invasion monitoring attack data by multiclass and normal data constitutes, so network invasion monitoring can be regarded classification problem more than as.The key of intruding detection system is the foundation in normal and abnormal behaviour pattern storehouse.The method of setting up system of behavior mainly contains neural net, data mining etc.These methods have a common feature, be exactly that needed amount of training data is big, yet the data that can obtain in the intrusion detection field usually present polytropy, higher-dimension and small sample, can not satisfy the precondition of traditional statistical method, so that false drop rate and loss are all than higher.
SVMs (Support Vector Machine, SVM) and the nuclear learning method be mainly used in the limited sample learning problem that solves, and it is insensitive to the dimension and the polytropy of data, have nicety of grading and generalization ability preferably, therefore, they are widely used in intruding detection system, and have obtained good detection effect.
Yet the classification speed of svm classifier device depends on the number of support vector, if the support vector number is very big, the classification speed of grader can be very slow.Require high system for this real-time of intrusion detection, detection speed will greatly influence its performance slowly, it can not be detected in time attack and respond.
Therefore, need a kind of classification speed fast false drop rate and all lower Network Intrusion Detection System of loss simultaneously, to guarantee the normal use of network.
Summary of the invention:
For overcoming the above-mentioned defective of prior art, the Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine proposes a kind of based on SVM shortcut calculation Network Intrusion Detection System, improved the classification speed of svm classifier device by the yojan support vector, be greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs simultaneously.
For realizing above-mentioned technical purpose, the technical solution used in the present invention is as follows:
A kind of Network Intrusion Detection System based on shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is:
(x wherein
i, y
i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences
iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.
The Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine compared with prior art, have following beneficial effect: this system has improved the classification speed of svm classifier device by the yojan support vector, is greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs.
Description of drawings:
Fig. 1 is the block diagram that the present invention is based on the Network Intrusion Detection System of shortcut calculation of support vector machine.
Embodiment:
Below in conjunction with accompanying drawing the Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine is further described.
The present invention is based on the Network Intrusion Detection System of shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is:
(x wherein
i, y
i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences
iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.
For convenience of description, advance Lagrange multiplier α with classification information is integrated among the present invention
iIn, all α hereinafter
iAll adopted similar processing, correspondingly, this decision function of (1) formula changes to:
The α of this moment
iFor being not equal to zero number.From (2) formula as can be seen, judge that the needed time of sample of a unknown classification and the number of support vector are directly proportional, therefore, the quantity of cutting down support vector can improve the classification speed of classifier effectively.
The pairing vectorial w of optimal classification hyperplane of svm classifier device training gained is expressed as the linear combination of all support vectors in feature space in form:
The SVM short cut technique attempts to adopt the vector set of a yojan to replace original support vector collection among the present invention:
Wherein
Be exactly the yojan vector set, β
i∈ R is yojan vector z
iPairing weights, N
ZThe vectorial number that is comprised for the yojan vector set, and N
Z<N
SLike this, can replace w to judge the vector x of unknown classification with w%, at this moment, the decision function form of SVM be as follows:
The target of SVM short cut technique is exactly under the prerequisite that as far as possible reduces the nicety of grading loss, seeks minimum N
Z=N
SWith the yojan vector set of correspondence, form a svm classifier device of simplifying and improve classification speed.
When cutting down the support vector number, at first construct a new yojan vector and a corresponding weights (z thereof
1, β
1) come the vectorial w in approximate (3) formula, then make up (z iteratively
M+1, β
M+1) be similar to vectorial w
m, w
mForm as follows:
Owing to can not accurately find vectorial zm and corresponding weights β
mMake vectorial w
mBe zero.So can only seek minimum δ by nonlinear optimization, the form of δ is shown below:
For some special kernel function such as gaussian kernel function, the svm classifier device adopts the fixed point iterative method to seek yojan vector z, and establishing (7) formula derivative is zero, asks the iterative formula of yojan vector z to be shown below:
The support vector of svm classifier device is respectively N before and after supposing to simplify
S, N
Z, to measure with the calculation times of kernel function, then original svm classifier device predicts that the time complexity of a sample is O (N
S), simplifying svm classifier device time corresponding complexity is O (N
Z), because N
Z=N
SSo simplifying the svm classifier device has lower complicated classification degree than original svm classifier utensil.
The KDD CUP 1999 that the present invention adopts is as the experimental data collection.This data set be people such as Wenke Lee 1998 ARPA (DARPA) do IDS evaluation and test time and obtain the link information that recovery is come out on the data basis.This batch data comprises the network traffics in 7 week altogether, nearly 5,000,000 linkage records.Because raw data set is too huge, thus have only two representative data sets to be selected as the experimental data collection, a 10Percent by name (training set), comprise 494,020 records, another Correct by name (test set), comprise 311,029 records.
The intrusion detection training set comprises proper network data on flows and 22 attack classifications, and test set also comprises 38 attack types except that the normal discharge data.This experiment is divided into 5 classes with these two data sets according to big type, forms new training set and test set.The specific descriptions of intrusion detection training and testing collection are as shown in table 1.The training of table 1 intrusion detection data set and test data are described
Typonym | The class mark | The training record number | The test record number |
Normal | 1 | 97,277 | 60,593 |
Probe | 2 | 4,107 | 4,166 |
DOS | 3 | 391,458 | 229,851 |
U2R | 4 | 52 | 230 |
R2L | 5 | 1,126 | 16,189 |
The intrusion detection data set has comprised 7 symbol attributes, and SVMs can only be handled numerical attribute, therefore symbol attribute must be converted to numerical attribute.Conversion method is as follows: at first creating one is 0 sequence of values A entirely
n... A
2A
1It is corresponding one by one that the length of sequence equals in the value kind of this attribute and the sequence each value of each number and this character attibute, if certain bar writes down this attribute and gets certain value, then the value of corresponding number is changed to 1 in the sequence of values, all the other still are 0, this moment, this sequence can be regarded a binary value as, and corresponding decimal value is the numerical value of asking.After handling symbol attribute all property values all are normalized to [0,1] interval.
After data are carried out suitable preliminary treatment, select the SVM training algorithm of LIBSVM as standard.Kernel function adopts gaussian kernel function, and punishment operator C and kernel function parameter all are to adopt LIBSVM 10 cross-beta gained results' on the subclass that experimental data collection one is randomly drawed optimal value.
Experimental result is as shown in table 2, the different yojan rate of the 1st behavior wherein, the support vector number of simplifying the svm classifier device, the error rate on test set and the testing time of the capable corresponding 5 class problems of 2-4.Wherein support vector number, the test errors rate of corresponding original svm classifier device reach the running time on test set to the secondary series triplex row respectively.
Table 2: the grader performance relatively under the different yojan rates
Simplified Rate(%) | 0 | 60 | 80 | 95 |
#RSVs | 1,0791 | 4,316 | 2,158 | 540 |
Errors rate(%) | 3.22 | 3.41 | 5.2 | 7.2 |
Testtime(s) | 1,174 | 621 | 455 | 121 |
As can be seen from Table 2, along with the yojan rate increases, simplify the classification speed of svm classifier device on test set accordingly also along with raising.Though the extensive performance of simplifying the svm classifier device increases along with the yojan rate and decreases, and compares with detection speed lifting amplitude, the generalization loss of energy is very little.When support vector being obtained up to 95% reduction rate, the loss of 7.2% nicety of grading is but only arranged, meanwhile, simplify the classification speed of svm classifier device on test set and but be former svm classifier device nearly 10 times.This explanation is to the intrusion detection data set, the support vector method for simplifying is when greatly cutting down support vector, substantially the nicety of grading that has kept former svm classifier device has greatly improved the classification effectiveness of svm classifier device, has solved SVM and has been applied to the existing speed bottle-neck of intruding detection system.
The Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine is a kind of based on SVM shortcut calculation Network Intrusion Detection System, improved the classification speed of svm classifier device by the yojan support vector, thereby make to be greatly improved, guarantee false drop rate and loss that systematic comparison is low simultaneously based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs.
Claims (5)
1, a kind of Network Intrusion Detection System based on shortcut calculation of support vector machine, it is characterized in that: this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is:
(x wherein
i, y
i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences
iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.
2, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 1 is characterized in that: the pairing vectorial w of svm classifier device optimal classification hyperplane is expressed as the linear combination of all support vectors in feature space in form:
3, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 2 is characterized in that: the svm classifier device adopts the vector set w of a yojan
o(3) replace original support vector collection w (2):
Wherein
Be exactly the yojan vector set, β
i∈ R is yojan vector z
iPairing weights, N
ZThe vectorial number that is comprised for the yojan vector set, and N
Z<N
S
4, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 3 is characterized in that: when the svm classifier device is cut down the support vector number, at first construct a new yojan vector and a corresponding weights (z thereof
1, β
1) come the vectorial w in approximate (2) formula, then make up (z iteratively
M+1, β
M+1) be similar to vectorial w
m, w
mForm as follows:
5, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 4 is characterized in that: the svm classifier device adopts the fixed point iterative method to seek yojan vector z to gaussian kernel function, asks the iterative formula of yojan vector z to be:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2009100993460A CN101594361A (en) | 2009-06-02 | 2009-06-02 | Network Intrusion Detection System based on shortcut calculation of support vector machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNA2009100993460A CN101594361A (en) | 2009-06-02 | 2009-06-02 | Network Intrusion Detection System based on shortcut calculation of support vector machine |
Publications (1)
Publication Number | Publication Date |
---|---|
CN101594361A true CN101594361A (en) | 2009-12-02 |
Family
ID=41408803
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNA2009100993460A Pending CN101594361A (en) | 2009-06-02 | 2009-06-02 | Network Intrusion Detection System based on shortcut calculation of support vector machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101594361A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101866403A (en) * | 2010-06-11 | 2010-10-20 | 西安电子科技大学 | Intrusion detection method based on improved OBS-NMF algorithm |
CN102291392A (en) * | 2011-07-22 | 2011-12-21 | 中国电力科学研究院 | Hybrid intrusion detection method based on bagging algorithm |
CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106992965A (en) * | 2017-02-27 | 2017-07-28 | 南京邮电大学 | A kind of Trojan detecting method based on network behavior |
CN109257383A (en) * | 2018-11-09 | 2019-01-22 | 中国人民解放军战略支援部队信息工程大学 | A kind of BGP method for detecting abnormality and system |
CN110070141A (en) * | 2019-04-28 | 2019-07-30 | 上海海事大学 | A kind of network inbreak detection method |
CN111603135A (en) * | 2020-05-11 | 2020-09-01 | 江南大学 | Low-power-consumption epilepsy detection circuit based on master-slave support vector machine |
CN112636570A (en) * | 2020-12-24 | 2021-04-09 | 天津大学合肥创新发展研究院 | Harmonic suppression method of current source type converter based on NS-SVM control |
-
2009
- 2009-06-02 CN CNA2009100993460A patent/CN101594361A/en active Pending
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101866403B (en) * | 2010-06-11 | 2012-07-04 | 西安电子科技大学 | Intrusion detection method based on improved OBS-NMF algorithm |
CN101866403A (en) * | 2010-06-11 | 2010-10-20 | 西安电子科技大学 | Intrusion detection method based on improved OBS-NMF algorithm |
CN102291392A (en) * | 2011-07-22 | 2011-12-21 | 中国电力科学研究院 | Hybrid intrusion detection method based on bagging algorithm |
CN102291392B (en) * | 2011-07-22 | 2015-03-25 | 中国电力科学研究院 | Hybrid intrusion detection method based on Bagging algorithm |
CN105072115B (en) * | 2015-08-12 | 2018-06-08 | 国家电网公司 | A kind of information system intrusion detection method based on Docker virtualizations |
CN105072115A (en) * | 2015-08-12 | 2015-11-18 | 国家电网公司 | Information system invasion detection method based on Docker virtualization |
CN105897517A (en) * | 2016-06-20 | 2016-08-24 | 广东电网有限责任公司信息中心 | Network traffic abnormality detection method based on SVM (Support Vector Machine) |
CN106992965A (en) * | 2017-02-27 | 2017-07-28 | 南京邮电大学 | A kind of Trojan detecting method based on network behavior |
CN109257383A (en) * | 2018-11-09 | 2019-01-22 | 中国人民解放军战略支援部队信息工程大学 | A kind of BGP method for detecting abnormality and system |
CN109257383B (en) * | 2018-11-09 | 2021-09-21 | 中国人民解放军战略支援部队信息工程大学 | BGP anomaly detection method and system |
CN110070141A (en) * | 2019-04-28 | 2019-07-30 | 上海海事大学 | A kind of network inbreak detection method |
CN111603135A (en) * | 2020-05-11 | 2020-09-01 | 江南大学 | Low-power-consumption epilepsy detection circuit based on master-slave support vector machine |
CN111603135B (en) * | 2020-05-11 | 2021-09-28 | 江南大学 | Low-power-consumption epilepsy detection circuit based on master-slave support vector machine |
CN112636570A (en) * | 2020-12-24 | 2021-04-09 | 天津大学合肥创新发展研究院 | Harmonic suppression method of current source type converter based on NS-SVM control |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101594361A (en) | Network Intrusion Detection System based on shortcut calculation of support vector machine | |
US11093519B2 (en) | Artificial intelligence (AI) based automatic data remediation | |
CN103703487B (en) | Information identifying method and system | |
Kotpalliwar et al. | Classification of attacks using support vector machine (svm) on kddcup'99 ids database | |
US10691795B2 (en) | Quantitative unified analytic neural networks | |
CN103617429A (en) | Sorting method and system for active learning | |
Noorbehbahani et al. | An incremental intrusion detection system using a new semi‐supervised stream classification method | |
CN106790256A (en) | For the active machine learning system of dangerous Host Detection | |
CN105426762A (en) | Static detection method for malice of android application programs | |
CN109981583B (en) | Industrial control network situation assessment method | |
Suryawanshi et al. | Email spam detection: an empirical comparative study of different ml and ensemble classifiers | |
Wang et al. | AUC estimation and concept drift detection for imbalanced data streams with multiple classes | |
Zohrevand et al. | Should i raise the red flag? A comprehensive survey of anomaly scoring methods toward mitigating false alarms | |
Navya et al. | Intrusion detection system using deep neural networks (DNN) | |
Liu et al. | Network log anomaly detection based on gru and svdd | |
Zhang | Financial data anomaly detection method based on decision tree and random forest algorithm | |
US20200356823A1 (en) | Systems and techniques to monitor text data quality | |
Čavojský et al. | Comparative Analysis of Feed-Forward and RNN Models for Intrusion Detection in Data Network Security with UNSW-NB15 Dataset | |
Folino et al. | Exploiting fractal dimension and a distributed evolutionary approach to classify data streams with concept drifts | |
Thi et al. | One-class collective anomaly detection based on long short-term memory recurrent neural networks | |
Bhargava et al. | Anomaly detection in wireless sensor networks using S-Transform in combination with SVM | |
Acharya et al. | Efficacy of CNN-bidirectional LSTM hybrid model for network-based anomaly detection | |
CN103514458A (en) | Sensor fault distinguishing method based on combination of error correction codes and support vector machine | |
AU2021103952A4 (en) | A system and method for providing cyber/network security based on advanced machine learning feature | |
CN104880216B (en) | A kind of sensor fault discrimination method based on different Error Correction of Coding cross-references |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C12 | Rejection of a patent application after its publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20091202 |