CN101471782B - Network inbreak detection method based on on-line hoisting algorithm - Google Patents

Abstract

The invention relates to the information security field in a computer network, in particular to a network intruding detection method based on an on-line upgrade algorithm, which comprises the steps as follows: a decision-making pile is established in each dimension of network connection data through an initialization module respectively; the decision-making pile and corresponding weighing thereof on each characteristic are initialized, and a balance factor is set; each current decision-making pile performs weighting fusion to obtain an intruding detection strong classifier for intruding detection on the network connection data through a detection module; whether the network connection data is a training sample though an on-line upgrade module; and on-line upgrade is carried out on the current detection classifier through the sample before intruding detection if the network connection data is the training sample. The network intruding detection method overcomes the disadvantages that a traditional intruding detection method adopts off-line learning only, the time consumption for training is long, and the ever changing dynamic network environments are difficult to be adapted.

Description

Network inbreak detection method based on online boosting algorithm

Technical field

The present invention relates to the information security of computer network field, particularly network inbreak detection method is a kind of network inbreak detection method based on online boosting algorithm.

Background technology

Along with development of computer, the application of the Internet becomes deeply and diversification gradually, and shopping online, E-government, Web bank etc. use more and more general.What meanwhile, network information security problem became becomes increasingly conspicuous.Be beneficial to the normal use that behaviors such as Web Grafiti terminal operating system, unauthorized theft personal information, bank account password, illegal invasion system database have seriously hindered the Internet, society and individual have been caused great harm.Therefore, the building network information safety system is effectively to utilize the requisite technical support in the Internet.In general, network information security system comprises protection, detection, reaction, recovers four steps, and detection wherein is exactly the network behavior of finding to exceed in the system safety strategy scope, promptly usually said " invasion ".Intruding detection system is a very important part in the network information security system, undertaking the important task of digital space early warning plane, have only network intrusions can obtain accurate detection, follow-up reaction and recovery measure just can obtain timely, correct implementation.So the further investigation Intrusion Detection Technique designs and develops effective intrusion detection algorithm, for improving network information security level, promoting the application and the development of Internet technology to be extremely important.

Invasion is meant that the network behavior of running counter to security strategy in the system or jeopardizing system safety, what is called run counter to security strategy and be meant that certain behavior does not meet the series of rules of normal behaviour or rarer and thought that by system the potential hazard of attack is arranged.The task of intrusion detection is about to above-mentioned invasion or attack detects.Therefore, intrusion detection can be regarded as the pattern classification problem of two class, i.e. behavior of automatic distinguishing proper network and network attack.In general, intruding detection system can be divided into two classes: Host Based and based on network.Host Based intrusion detection is based on the system journal of terminal operating system, usually can obtain very high verification and measurement ratio and very low false alarm rate, but intrusion detection is ageing relatively poor, because the harm to terminal system when invasion is detected often takes place, and system journal is also also unreliable, some well-designed network intrusions can be made an amendment system journal, disposes the vestige that system is attacked.Based on network intrusion detection is based on the network data in transmission such as network node such as switch, routers, what this moment, network packet can only be passive being transmitted and analyzing, therefore data are reliable, and this detection can be prevented from before network attack incoming terminal system, improved security of network system greatly.The Intrusion Detection Technique that promptly is based on network involved in the present invention.

Its detected object of based on network intrusion detection is that single network connects, i.e. an interior TCP packet sequence of the time interval that defines.The employed feature of intrusion detection grader comprises three major types features such as essential characteristic, content characteristic, traffic characteristic: the duration that essential characteristic such as primary network connect, protocol type etc.; The frequency of failure that content characteristic lands as trial etc.; Traffic characteristic was connected to network linking number of same source address etc. in two seconds.

The difficult point of network invasion monitoring mainly contains the following aspects: the required training data of intrusion detection is huge, and off-line training is consuming time very long; Difference between each feature is huge, and 9 catalogue type features and 32 continuous type features are wherein arranged, and the number range of continuous type feature is also little of [0,1], greatly to [0,10 ⁷]; The expectation of intrusion detection---high detection rate and low false alarm rate are difficult to reach simultaneously; In addition, the rate request of intrusion detection is also than higher, so grader can not be too complicated.

Existing network inbreak detection method has rule-based or statistics, utilizes correlation rule or frequency sequence, and based on machine learning, as neural net, SVMs, self-organizing mapping etc.Though it is emphasized that the network invasion monitoring technology has worldwide obtained paying close attention to widely and studying, it is to be solved still to exist a lot of difficulties to have at present.Especially our residing network environment is constantly to change, and new network intrusions or attack means constantly occur, and the network user's proper network behavioral characteristic is varied, and difference is huge.But existing intrusion detection algorithm mostly adopts off-line training, when new network attack type occurs, the training data of new attack type must be joined existing training data concentrates, whole huge training dataset is carried out the variation that retraining could adapt to network environment, and this process often needs repeatedly to travel through whole training dataset, consuming time very serious, be difficult to satisfy the security requirement of network information system.Therefore studying the intrusion detection method that can effectively adapt to network environment complicated and changeable is a very important problem.

Summary of the invention

For overcoming the deficiency that existing intrusion detection method can only carry out off-line training, be difficult to adapt to network environment complicated and changeable, the invention provides a kind of intrusion detection method based on online boosting algorithm (online boosting), the variation of this method energy fast adaptation network environment obtains the accuracy of detection suitable with the off-line training method simultaneously.Comprise:

By the beginningization module, on each dimension of network connection data, set up a decision-making pile respectively; Decision-making pile and corresponding weighing thereof on each feature of initialization, and balance factor is set;

By detection module, by current each decision-making pile weighting merge and the intrusion detection strong classifier, this network connection data is carried out intrusion detection;

By the online updating module, judge whether this network connection data is training sample; In this way, then before being carried out intrusion detection, it with this sample the current detection grader is carried out online updating earlier.

Further, the decision-making pile on each dimension of described network connection data is a Weak Classifier, and these Weak Classifier linear weighted functions are obtained strong classifier, and the weight of each Weak Classifier is drawn by its classification error rate.

Further, the foundation of described decision-making pile is so that the classification error rate is minimised as criterion.

Further, described intrusion detection grader dynamically updates under the framework based on online boosting algorithm, when upgrading each Weak Classifier, upgrades its classification error rate and weighting weight.

Further, introduce balance factor, detect the verification and measurement ratio and the false alarm rate of grader with break even income for the initial weight of described each training sample in the renewal process of intrusion detection grader.

The invention has the beneficial effects as follows, can carry out on-line study fast, make the intrusion detection grader can adapt to the variation of network environment fast and effectively, obtain good accuracy of detection simultaneously the characteristics of new network intrusions or attack mode.

Description of drawings

Fig. 1 is the total system schematic diagram of technical solution of the present invention;

Fig. 2 is the algorithm flow chart of online updating in the technical solution of the present invention;

Fig. 3 is the detection algorithm that proposes of the present invention and the test result of existing several other algorithms on a database that contains three class common type network attack data (Neptune, Satan, Portsweep);

Fig. 4 is the online boosting of no balance factor, the online boosting and the test result of Adaboost algorithm on international Knowledge Discovery in 1999 and data mining contest database (KDDCup 1999 Data Set) of introducing balance factor;

Fig. 5 is the detection algorithm and the existing test result of several other algorithms on KDD Cup 1999Data Set that the present invention proposes.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, and with reference to accompanying drawing, the present invention is described in more detail.

Fig. 1 is the total system schematic diagram of technical solution of the present invention.General structure of the present invention is made up of following three modules: one, initialization module---decision-making pile and the corresponding weighing thereof on each feature of initialization at first, and balance factor r is set; Two, detection module---for each new network connection data, by current each decision-making pile weighting merge and the intrusion detection strong classifier, this network connection data is carried out intrusion detection; Three, online updating module---if this network connection data is a training sample, then before being carried out intrusion detection, it needs with this sample the current detection grader to be carried out online updating earlier.

Fig. 2 is the algorithm flow chart of online updating in the technical solution of the present invention.For each network connection data, initial sample weights λ is set at first as training sample.For every dimensional feature, use decision-making pile and corresponding weighing thereof on this this feature of training sample online updating then, and upgrade the weight λ of this training sample.Sample weights λ after the renewal is used for the online updating of the decision-making pile and the weighting weight thereof of next dimension.

Main feature of the present invention is: 1) the grader online updating based on online boosting makes when new network attack type occurs, need not the current detection grader is carried out retraining, and only need the training data of new attack type is carried out the on-line study of disposable traversal, simplified process and computation complexity when the intrusion detection grader adapts to change of network environment greatly; 2) owing to use simple decision-making pile to be Weak Classifier, its training and online updating can both be finished fast; 3) the Weak Classifier fusion based on the boosting framework has guaranteed that then the strong classifier that obtains has the detectability suitable with other complicated algorithms; 4) balance factor of Yin Ruing has been taken all factors into consideration the verification and measurement ratio and the false alarm rate of gained detection grader, effectively reduces false alarm rate in the suitable verification and measurement ratio of maintenance, has better met the detection effect requirements of real network intruding detection system.

Provide the explanation of each related in this invention technical scheme detailed problem below in detail.

(1) foundation of decision-making pile

Set up a decision-making pile respectively on each dimension of network connection data, the foundation of decision-making pile is to minimize the classification error rate

ε＝∑ _nδ[h(x _n)≠y _n]

(1)

Be criterion, wherein (x _n, y _n) be n training sample, h (x) is the decision-making pile on this characteristic dimension, function δ [h (x _n) ≠ y _n] as h (x _n) ≠ y _nValue is 1 during establishment, otherwise gets-1.

For the feature f of catalogue type, possible property value set C on this feature ^fBe divided into mutually disjoint two subclass C _p ^fAnd C _n ^f, the decision-making pile on this feature is got following form

$h_f\left(x\right)=\left\{\begin{array}{c}1,x^f\∈C_p^f\\ -1,x^f\∈C_n^f\end{array}\right.,$

(2)

X wherein ^fBe the property value of training sample x on feature f.According to the criterion that minimizes ε, the decision-making pile on catalogue type feature f simple computation in fact as follows draws:

$z\&Element;\left\{\begin{array}{c}{C}_p^f,{\mathrm{\&Sigma;}}_{x^f=z}\mathrm{\&delta;}(y=1)\&GreaterEqual;{\mathrm{\&Sigma;}}_{x^f=z}\mathrm{\&delta;}(y=-1)\\ C_n^f,{\mathrm{\&Sigma;}}_{x^f=z}\mathrm{\&delta;}(y=1)<{\mathrm{\&Sigma;}}_{x^f=z}\mathrm{\&delta;}(y=-1)\end{array}\right.,$

(3)

Wherein z goes up certain possible property value for feature f, and function δ (y=1) value when y=1 sets up is 1, otherwise gets-1, and function δ (y=-1) value when y=-1 sets up is 1, otherwise gets-1.

For the feature f of continuous type, the scope of possible property value is separated by threshold value υ on this feature, and decision-making pile is got following form

$h_f\left(x\right)=\left\{\begin{array}{c}1,x^f\&GreaterEqual;\mathrm{\&upsi;}\\ -1,x^f<\mathrm{\&upsi;}\end{array}\right.$ Perhaps $h_f\left(x\right)=\left\{\begin{array}{c}-1,x^f\&GreaterEqual;\mathrm{\&upsi;}\\ 1,x^f<\mathrm{\&upsi;}\end{array}\right.$

(4)

Choosing with the selection of above two kinds of situations of threshold value υ is same according to the criterion that minimizes ε.

(2) Weak Classifier based on boosting mechanism merges

With current these Weak Classifiers h that obtains _f(x) linear weighted function obtains strong classifier H (x), each Weak Classifier h _f(x) weight is by its classification error rate ε _fDraw, fusion formula is

$H\left(x\right)=\mathrm{sign}({\mathrm{\&Sigma;}}_f{h}_f\left(x\right)\&CenterDot;\lg \frac{1-{\mathrm{\&epsiv;}}_f}{{\mathrm{\&epsiv;}}_f})$

(5)

Weak Classifier h wherein _f(x) classification error rate ε _fObtain by following formula is approximate

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}$

(6)

(3) balance factor and training sample initial weight are provided with

Introduce balance factor for the initial weight of each training sample in the renewal process of intrusion detection grader, detect the verification and measurement ratio and the false alarm rate of grader with break even income.

In network invasion monitoring, we use verification and measurement ratio and false alarm rate to weigh the accuracy of detection of detection algorithm:

N wherein _{Det ected}Be by the detected network attack quantity of success, N in the training process _AttackBe that training sample is concentrated all total numbers of network attack, N _FalseFor by flase drop being the quantity of the proper network connection of network attack, N _NormalIt is total number that training sample concentrates all proper networks to connect.We expect that an intrusion detection algorithm can have high as far as possible verification and measurement ratio to guarantee the safety of network system, have alap false alarm rate simultaneously and use to guarantee normal network.

But network invasion monitoring for reality, its training sample set is often very huge, and proper network number of connection and network attack quantity difference are bigger, and the imbalance of this training sample set has brought very big difficulty for the intrusion detection training based on online boosting.In fact, classical onlineboosting is provided with identical initial weight λ=1 for each training sample, actual being equivalent to, be provided with total weight of two classifications quantity according to positive and negative training sample respectively, that is to say the quantity decision of the importance of two classifications in the training process by training sample.In general, for given grader, total weight of negative sample is high more, and the verification and measurement ratio that gained detects grader is high more, and false alarm rate is also high more simultaneously; And total weight of positive sample is high more, and the verification and measurement ratio that gained detects grader is low more, and false alarm rate is also low more simultaneously.The requirement of high detection rate and low false alarm rate is difficult to reach simultaneously, and actual way is to obtain certain balance between two measurement indexs.

Be the verification and measurement ratio and the false alarm rate of break even income intrusion detection grader, the present invention introduces balance factor r ∈ (0,1) when for each training sample initial weight λ being set:

By the value of adjustment factor r, we just can regulate the total weight that gives positive and negative training sample in the training process, thus the verification and measurement ratio and the false alarm rate of the detection grader that balance finally obtains.The ratio of positive and negative training sample is generally concentrated in the selection of balance factor r according to training sample, and in the application-specific requirement of the verification and measurement ratio that detects grader, false alarm rate is determined.

(4) online updating of detection grader

Generation along with network connection data stream, under the framework of online boosting, dynamically update current each Weak Classifier and corresponding weighing thereof, thereby upgrade the intrusion detection strong classifier after merging, the information of new network connection data is obtained fast, effectively utilize.

(x y), is provided with initial weight λ according to formula (9) for it for new training sample.Upgrade decision-making pile and weighting weight thereof on each feature successively according to current λ value then.For example for feature f, distributing according to the Poission that with λ is parameter generates training sample (x, number k y), and with k sample (x, y) decision-making pile on the online updating feature f at random.Sample weights λ and feature f go up the renewal of decision-making pile weight (only needing to upgrade the respective classified error rate) and carry out in the following manner:

If h _f(x)=y, then ${\mathrm{\&lambda;}}_f^{\mathrm{sc}}={\mathrm{\&lambda;}}_f^{\mathrm{sc}}+\mathrm{\&lambda;}$

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}---\left(10\right)$

$\mathrm{\&lambda;}=\mathrm{\&lambda;}\&CenterDot;\frac{1}{2(1-{\mathrm{\&epsiv;}}_f)}$

Otherwise ${\mathrm{\&lambda;}}_f^{\mathrm{sw}}={\mathrm{\&lambda;}}_f^{\mathrm{sw}}+\mathrm{\&lambda;}$

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}---\left(11\right)$

$\mathrm{\&lambda;}=\mathrm{\&lambda;}\&CenterDot;\frac{1}{2{\mathrm{\&epsiv;}}_f}$

In the above-mentioned formula, λ _f ^ScBe the training sample weight sum of correctly being classified, λ by the decision-making pile on the feature f _f ^SwFor by the training sample weight sum of the decision-making pile misclassification on the feature f, ε _fFor based on λ _f ^ScAnd λ _f ^SwApproximate classification error rate.

(5) detection of new network connection data

For each new network connection data, to use current Weak Classifier and corresponding weighing to merge and form strong classifier, the network connection data of using to new detects, promptly

$H\left(x\right)=\mathrm{sign}({\mathrm{\&Sigma;}}_f{h}_f\left(x\right)\&CenterDot;\lg \frac{1-{\mathrm{\&epsiv;}}_f}{{\mathrm{\&epsiv;}}_f})---\left(12\right)$

In order to implement concretism of the present invention, we are at Research on Network Intrusion Detection field database commonly used---and do a large amount of experiments on international Knowledge Discovery in 1999 and the data mining contest database (KDD Cup 1999Data Set), realized the network invasion monitoring algorithm that the present invention describes.Experimental result has further been verified the validity of this method.

In the experiment employed network connection data be characterized as the feature that KDD Cup 1999 Data Set are adopted, comprising 9 catalogue type features and 32 continuous type features.Part of test results is shown in accompanying drawing 3,4,5.In network invasion monitoring, we utilize verification and measurement ratio and false alarm rate to weigh the detection effect of intrusion detection algorithm usually.Desirable intrusion detection algorithm has higher detection rate and lower false alarm rate, but in fact these two expectations often are difficult to reach simultaneously, and in general the high more while false alarm rate of verification and measurement ratio is also high more.We also investigate the accuracy of detection of the intrusion detection algorithm of the present invention's proposition in the following experiment by these two indexs.

Fig. 3 is the detection algorithm that proposes of the present invention and the test result of existing several other algorithms on a database that contains three class common type network attack data (Neptune, Satan, Portsweep).We can see that its verification and measurement ratio of detection algorithm that the present invention proposes has reached 99.55%, and near the peak of other two kinds of algorithm verification and measurement ratios, and its false alarm rate only is 0.17%, is lower than the average level of other two kinds of algorithms.

Fig. 4 is the online boosting of no balance factor, the online boosting and the test result of off-line Adaboost algorithm on international Knowledge Discovery in 1999 and data mining contest database (KDD Cup 1999 Data Set) of introducing balance factor.The verification and measurement ratio of these several algorithms is very approaching, but its false alarm rate of online boosting of not introducing balance factor is 8.5010%, far above off-line Adaboost algorithm.After introducing balance factor, when verification and measurement ratio only has small reduction, false alarm rate significantly has been reduced to 2.2874%, has shown that the balance factor of introducing has good effect for balance detection rate and false alarm rate.

Fig. 5 is the detection algorithm and the existing test result of several other algorithms on KDD Cup 1999Data Set that the present invention proposes.Detection algorithm and other detection algorithms that the present invention proposes have very approaching verification and measurement ratio, and false alarm rate then is better than many existing detection algorithms.Simultaneously, the present invention has good on-line study ability, the variation of energy fast adaptation network environment, and this is that existing other detection algorithms are not available.

We can see that the network inbreak detection method based on online boosting that the present invention proposes has and has the suitable accuracy of detection of other intrusion detection algorithms now, even is better than some detection algorithm.Simultaneously, when new network attack type occurs, existing detection algorithm need join the training data of new attack type huge existing training data and concentrate and to carry out retraining, during generally will be through repeatedly traversal to whole training dataset, consuming time very serious; And the algorithm that the present invention proposes need not to carry out retraining, as long as the training data to a spot of new attack type carries out on-line study on the basis of current detection grader, only new training data is once traveled through, thereby greatly reduce the computation complexity that the intrusion detection grader adapts to change of network environment, very big raising the flexibility and the validity of intruding detection system, have good application prospects.

The above; only be the embodiment among the present invention, but protection scope of the present invention is not limited thereto, anyly is familiar with the people of this technology in the disclosed technical scope of the present invention; the conversion that can expect easily or replacement all should be encompassed in of the present invention comprising within the scope.Therefore, protection scope of the present invention should be as the criterion with the protection range of claims.

Claims (3)

1. the network inbreak detection method based on online boosting algorithm is characterized in that, comprising:

By initialization module, on each dimensional feature of network connection data, set up a decision-making pile h respectively _f(x), i.e. Weak Classifier; Decision-making pile and corresponding weighing thereof on each characteristic dimension of initialization, and the value of balance factor r is set, the verification and measurement ratio and the false alarm rate of the intrusion detection strong classifier that obtains with balance; Weak Classifier h wherein _f(x) weight is by its classification error rate ε _fDraw ε _fObtain by following formula is approximate:

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}},$

In the formula,

Be the training sample weight sum of correctly being classified by the decision-making pile on the feature f,

For by the training sample weight sum of the decision-making pile misclassification on the feature f;

For new network connection data, at first, judge whether this new network connection data is training sample by the online updating module; If this new network connection data is a training sample, then before new network connection data is carried out intrusion detection to this, with this training sample current intrusion detection strong classifier is carried out online dynamically updating earlier; Concrete renewal process at first is that (x y) is provided with initial sample weights λ to each training sample, and it is N that training sample is concentrated all total numbers of network attack _Attack, total number that training sample concentrates all proper networks to connect is N _Normal, the following expression of described initial sample weights λ:

Use this training sample for every dimensional feature then, according to the decision-making pile h on current initial this feature of sample weights λ value renewal _f(x) and the weighting weight, and upgrade the weight λ of this training sample, the sample weights λ after the renewal is used for the online updating of the decision-making pile and the weighting weight thereof of next dimension; For feature f, distributing according to the Poission that with λ is parameter generates training sample (x, number k y), and with k training sample (x, y) the decision-making pile h on the online updating feature f at random _f(x), and sample weights λ and the feature f renewal of going up the decision-making pile weight carry out in the following manner:

If h _f(x)=y, then ${\mathrm{\&lambda;}}_f^{\mathrm{sc}}={\mathrm{\&lambda;}}_f^{\mathrm{sc}}+\mathrm{\&lambda;}$

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}$

$\mathrm{\&lambda;}=\mathrm{\&lambda;}\&CenterDot;\frac{1}{2(1-{\mathrm{\&epsiv;}}_f)}$

Otherwise

${\mathrm{\&lambda;}}_f^{\mathrm{sw}}={\mathrm{\&lambda;}}_f^{\mathrm{sw}}+\mathrm{\&lambda;}$

${\mathrm{\&epsiv;}}_f=\frac{{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}{{\mathrm{\&lambda;}}_f^{\mathrm{sc}}+{\mathrm{\&lambda;}}_f^{\mathrm{sw}}}$

$\mathrm{\&lambda;}=\mathrm{\&lambda;}\&CenterDot;\frac{1}{2{\mathrm{\&epsiv;}}_f}$

By detection module, by current each decision-making pile weighting merge and the intrusion detection strong classifier, network connection data is carried out intrusion detection, described each current decision-making pile weighting is merged and the intrusion detection strong classifier that obtains is expressed as follows:

$H\left(x\right)=\mathrm{sign}({\mathrm{\&Sigma;}}_f{h}_f\left(x\right)\&CenterDot;\lg \frac{1-{\mathrm{\&epsiv;}}_f}{{\mathrm{\&epsiv;}}_f}).$

2. network inbreak detection method according to claim 1 is characterized in that, the foundation of described decision-making pile is so that the classification error rate is minimised as criterion.

3. network inbreak detection method according to claim 1, it is characterized in that, described intrusion detection strong classifier dynamically updates under the framework based on online boosting algorithm, when upgrading each Weak Classifier, upgrades its classification error rate and weighting weight.

Images