CN101594361A - Network Intrusion Detection System based on shortcut calculation of support vector machine - Google Patents

Abstract

A kind of Network Intrusion Detection System of the present invention based on shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is: , (x wherein _i, y _i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences _iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.This system has improved the classification speed of svm classifier device by the yojan support vector, thereby makes and be greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs, guarantees false drop rate and loss that systematic comparison is low simultaneously.

Description

Network Intrusion Detection System based on shortcut calculation of support vector machine

Technical field:

The present invention relates to a kind of Network Intrusion Detection System, relate in particular to a kind of Network Intrusion Detection System based on shortcut calculation of support vector machine.

Background technology:

Intrusion detection is to the realizing of intrusion behavior as its name suggests, it be for the safety that guarantees computer system design and dispose a kind of can in time find and reporting system in the technology of unauthorized or anomaly.The handled data of network invasion monitoring attack data by multiclass and normal data constitutes, so network invasion monitoring can be regarded classification problem more than as.The key of intruding detection system is the foundation in normal and abnormal behaviour pattern storehouse.The method of setting up system of behavior mainly contains neural net, data mining etc.These methods have a common feature, be exactly that needed amount of training data is big, yet the data that can obtain in the intrusion detection field usually present polytropy, higher-dimension and small sample, can not satisfy the precondition of traditional statistical method, so that false drop rate and loss are all than higher.

SVMs (Support Vector Machine, SVM) and the nuclear learning method be mainly used in the limited sample learning problem that solves, and it is insensitive to the dimension and the polytropy of data, have nicety of grading and generalization ability preferably, therefore, they are widely used in intruding detection system, and have obtained good detection effect.

Yet the classification speed of svm classifier device depends on the number of support vector, if the support vector number is very big, the classification speed of grader can be very slow.Require high system for this real-time of intrusion detection, detection speed will greatly influence its performance slowly, it can not be detected in time attack and respond.

Therefore, need a kind of classification speed fast false drop rate and all lower Network Intrusion Detection System of loss simultaneously, to guarantee the normal use of network.

Summary of the invention:

For overcoming the above-mentioned defective of prior art, the Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine proposes a kind of based on SVM shortcut calculation Network Intrusion Detection System, improved the classification speed of svm classifier device by the yojan support vector, be greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs simultaneously.

For realizing above-mentioned technical purpose, the technical solution used in the present invention is as follows:

A kind of Network Intrusion Detection System based on shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is: $f\left(x\right)=\mathrm{sgn}(\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i{y}_{i}k(x_i,x)+b)---\left(1\right),$ (x wherein _i, y _i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences _iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.

The Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine compared with prior art, have following beneficial effect: this system has improved the classification speed of svm classifier device by the yojan support vector, is greatly improved based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs.

Description of drawings:

Fig. 1 is the block diagram that the present invention is based on the Network Intrusion Detection System of shortcut calculation of support vector machine.

Embodiment:

Below in conjunction with accompanying drawing the Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine is further described.

The present invention is based on the Network Intrusion Detection System of shortcut calculation of support vector machine, this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is: $f\left(x\right)=\mathrm{sgn}(\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i{y}_{i}k(x_i,x)+b)---\left(1\right),$ (x wherein _i, y _i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences _iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.

For convenience of description, advance Lagrange multiplier α with classification information is integrated among the present invention _iIn, all α hereinafter _iAll adopted similar processing, correspondingly, this decision function of (1) formula changes to:

$f\left(x\right)=\mathrm{sgn}(\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_{i}k(x_i,x)+b)---\left(2\right)$

The α of this moment _iFor being not equal to zero number.From (2) formula as can be seen, judge that the needed time of sample of a unknown classification and the number of support vector are directly proportional, therefore, the quantity of cutting down support vector can improve the classification speed of classifier effectively.

The pairing vectorial w of optimal classification hyperplane of svm classifier device training gained is expressed as the linear combination of all support vectors in feature space in form:

The SVM short cut technique attempts to adopt the vector set of a yojan to replace original support vector collection among the present invention:

Wherein $\{z_1,...,z_{N_Z}\}\∈R^d$ Be exactly the yojan vector set, β _i∈ R is yojan vector z _iPairing weights, N _ZThe vectorial number that is comprised for the yojan vector set, and N _Z＜N _SLike this, can replace w to judge the vector x of unknown classification with w%, at this moment, the decision function form of SVM be as follows:

$f\left(x\right)=\mathrm{sgn}(\underset{i=1}{\overset{N_Z}{\mathrm{\Σ}}}{\mathrm{\β}}_{i}k(z_i,x)+b)---\left(5\right)$

The target of SVM short cut technique is exactly under the prerequisite that as far as possible reduces the nicety of grading loss, seeks minimum N _Z=N _SWith the yojan vector set of correspondence, form a svm classifier device of simplifying and improve classification speed.

When cutting down the support vector number, at first construct a new yojan vector and a corresponding weights (z thereof ₁, β ₁) come the vectorial w in approximate (3) formula, then make up (z iteratively _M+1, β _M+1) be similar to vectorial w _m, w _mForm as follows:

Owing to can not accurately find vectorial zm and corresponding weights β _mMake vectorial w _mBe zero.So can only seek minimum δ by nonlinear optimization, the form of δ is shown below:

For some special kernel function such as gaussian kernel function, the svm classifier device adopts the fixed point iterative method to seek yojan vector z, and establishing (7) formula derivative is zero, asks the iterative formula of yojan vector z to be shown below:

$z_{n+1}=\frac{\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i\exp (-{\left|\right|x_i-z_n\left|\right|}^2/\left(2{\mathrm{\σ}}^2\right))x_i}{\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i\exp (-{\left|\right|x_i-z_n\left|\right|}^2/\left(2{\mathrm{\σ}}^2\right))}---\left(8\right)$

The support vector of svm classifier device is respectively N before and after supposing to simplify _S, N _Z, to measure with the calculation times of kernel function, then original svm classifier device predicts that the time complexity of a sample is O (N _S), simplifying svm classifier device time corresponding complexity is O (N _Z), because N _Z=N _SSo simplifying the svm classifier device has lower complicated classification degree than original svm classifier utensil.

The KDD CUP 1999 that the present invention adopts is as the experimental data collection.This data set be people such as Wenke Lee 1998 ARPA (DARPA) do IDS evaluation and test time and obtain the link information that recovery is come out on the data basis.This batch data comprises the network traffics in 7 week altogether, nearly 5,000,000 linkage records.Because raw data set is too huge, thus have only two representative data sets to be selected as the experimental data collection, a 10Percent by name (training set), comprise 494,020 records, another Correct by name (test set), comprise 311,029 records.

The intrusion detection training set comprises proper network data on flows and 22 attack classifications, and test set also comprises 38 attack types except that the normal discharge data.This experiment is divided into 5 classes with these two data sets according to big type, forms new training set and test set.The specific descriptions of intrusion detection training and testing collection are as shown in table 1.The training of table 1 intrusion detection data set and test data are described

Typonym	The class mark	The training record number	The test record number
				Normal	1	97,277	60,593
Probe	2	4,107	4,166
				DOS	3	391,458	229,851
U2R	4	52	230
				R2L	5	1,126	16,189

The intrusion detection data set has comprised 7 symbol attributes, and SVMs can only be handled numerical attribute, therefore symbol attribute must be converted to numerical attribute.Conversion method is as follows: at first creating one is 0 sequence of values A entirely _n... A ₂A ₁It is corresponding one by one that the length of sequence equals in the value kind of this attribute and the sequence each value of each number and this character attibute, if certain bar writes down this attribute and gets certain value, then the value of corresponding number is changed to 1 in the sequence of values, all the other still are 0, this moment, this sequence can be regarded a binary value as, and corresponding decimal value is the numerical value of asking.After handling symbol attribute all property values all are normalized to [0,1] interval.

After data are carried out suitable preliminary treatment, select the SVM training algorithm of LIBSVM as standard.Kernel function adopts gaussian kernel function, and punishment operator C and kernel function parameter all are to adopt LIBSVM 10 cross-beta gained results' on the subclass that experimental data collection one is randomly drawed optimal value.

Experimental result is as shown in table 2, the different yojan rate of the 1st behavior wherein, the support vector number of simplifying the svm classifier device, the error rate on test set and the testing time of the capable corresponding 5 class problems of 2-4.Wherein support vector number, the test errors rate of corresponding original svm classifier device reach the running time on test set to the secondary series triplex row respectively.

Table 2: the grader performance relatively under the different yojan rates

Simplified Rate(％)	0	60	80	95
					#RSVs	1,0791	4,316	2,158	540
Errors rate(％)	3.22	3.41	5.2	7.2
					Testtime(s)	1,174	621	455	121

As can be seen from Table 2, along with the yojan rate increases, simplify the classification speed of svm classifier device on test set accordingly also along with raising.Though the extensive performance of simplifying the svm classifier device increases along with the yojan rate and decreases, and compares with detection speed lifting amplitude, the generalization loss of energy is very little.When support vector being obtained up to 95% reduction rate, the loss of 7.2% nicety of grading is but only arranged, meanwhile, simplify the classification speed of svm classifier device on test set and but be former svm classifier device nearly 10 times.This explanation is to the intrusion detection data set, the support vector method for simplifying is when greatly cutting down support vector, substantially the nicety of grading that has kept former svm classifier device has greatly improved the classification effectiveness of svm classifier device, has solved SVM and has been applied to the existing speed bottle-neck of intruding detection system.

The Network Intrusion Detection System that the present invention is based on shortcut calculation of support vector machine is a kind of based on SVM shortcut calculation Network Intrusion Detection System, improved the classification speed of svm classifier device by the yojan support vector, thereby make to be greatly improved, guarantee false drop rate and loss that systematic comparison is low simultaneously based on this real-time response ability of simplifying the Network Intrusion Detection System of SVMs.

Claims (5)

1, a kind of Network Intrusion Detection System based on shortcut calculation of support vector machine, it is characterized in that: this system is caught by the network data that connects in turn and extraction module, network data pretreatment module, detection module and output and respond module are formed, described detection module is for simplifying the svm classifier device, and described decision function of simplifying the svm classifier device is: $f\left(x\right)=\mathrm{sgn}(\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i{y}_{i}k(x_i,x)+b)---\left(1\right),$ (x wherein _i, y _i), i=1 ..., Ns is exactly so-called support vector, the Lagrange multiplier α of their correspondences _iGreater than zero, x is a vector to be classified, and Ns is the quantity of support vector, and b is biasing.

2, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 1 is characterized in that: the pairing vectorial w of svm classifier device optimal classification hyperplane is expressed as the linear combination of all support vectors in feature space in form:

3, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 2 is characterized in that: the svm classifier device adopts the vector set w of a yojan _o(3) replace original support vector collection w (2): Wherein $\{z_1,...,z_{N_Z}\}\∈R^d$ Be exactly the yojan vector set, β _i∈ R is yojan vector z _iPairing weights, N _ZThe vectorial number that is comprised for the yojan vector set, and N _Z＜N _S

4, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 3 is characterized in that: when the svm classifier device is cut down the support vector number, at first construct a new yojan vector and a corresponding weights (z thereof ₁, β ₁) come the vectorial w in approximate (2) formula, then make up (z iteratively _M+1, β _M+1) be similar to vectorial w _m, w _mForm as follows:

5, the Network Intrusion Detection System based on shortcut calculation of support vector machine as claimed in claim 4 is characterized in that: the svm classifier device adopts the fixed point iterative method to seek yojan vector z to gaussian kernel function, asks the iterative formula of yojan vector z to be: $z_{n+1}=\frac{\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i\exp (-{\left|\right|x_i-z_n\left|\right|}^2/\left(2{\mathrm{\σ}}^2\right))x_i}{\underset{i=1}{\overset{N_S}{\mathrm{\Σ}}}{\mathrm{\α}}_i\exp (-{\left|\right|x_i-z_n\left|\right|}^2/\left(2{\mathrm{\σ}}^2\right))}.$

Images