CN108446562B - Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine - Google Patents
Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine Download PDFInfo
- Publication number
- CN108446562B CN108446562B CN201810258288.0A CN201810258288A CN108446562B CN 108446562 B CN108446562 B CN 108446562B CN 201810258288 A CN201810258288 A CN 201810258288A CN 108446562 B CN108446562 B CN 108446562B
- Authority
- CN
- China
- Prior art keywords
- honey source
- honey
- source
- tabu
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/004—Artificial life, i.e. computing arrangements simulating life
- G06N3/006—Artificial life, i.e. computing arrangements simulating life based on simulated virtual individual or collective life forms, e.g. social simulations or particle swarm optimisation [PSO]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Biomedical Technology (AREA)
- Biophysics (AREA)
- Virology (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Molecular Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Medicines Containing Material From Animals Or Micro-Organisms (AREA)
Abstract
The invention discloses an intrusion detection method based on a tabu and artificial bee colony bidirectional optimization support vector machine. Specifically, a first tabu table is introduced in the initial bee hiring search stage, the found local optimal solutions are stored and memorized, and the local optimal solutions are avoided in the subsequent preset iterations; a second tabu table is introduced in the bee observation stage, and a reward and punishment mechanism is added to improve the fitness function of the honey source, so that the diversity of the solution is improved; and finally, introducing a third tabu table in the scout bee stage to store the solution which reaches the maximum development times and is not improved in the adaptive value. The invention has strong feasibility and good practicability.
Description
Technology neighborhood
The invention relates to the field of network security technology, in particular to an intrusion detection method based on a taboo and artificial bee colony bidirectional optimization support vector machine.
Background
In recent years, with the increasing scale of networks, computer networks bring convenience to people's life and work, and meanwhile, the network intrusion attack means is more complicated, and the loss caused by various destructive network attacks is increasingly serious. Although the traditional security defense method and strategy play a role in protecting network security to a certain extent, the traditional security defense method and strategy cannot prevent complicated and variable and rampant intrusion behaviors, so that an intrusion Detection system IDS (intrusion Detection System) serving as a second defense line of the network security comes up. The technology of the active protection strategy is valued by experts and scholars at home and abroad, and how to research an effective intrusion detection algorithm aiming at the existing intrusion potential safety hazard of the internet has important significance on the sustainable development of the internet safety and economy.
The network connection data has the characteristics of large data volume and various feature numbers, and how to quickly and effectively acquire security threat information from the intrusion detection log data is a current hotspot in the research of intrusion detection technology. At present, people introduce various data mining and artificial intelligence methods to the intrusion detection problem, firstly, feature selection and data dimension reduction are carried out on an original data set through an optimization algorithm (such as a neural network algorithm, a particle swarm algorithm, an artificial bee colony algorithm ABC and the like), and then, training modeling is carried out on existing data through a classifier (such as C4.5, ID3, an SVM support vector machine and the like) to obtain an intrusion detection model. However, the existing intrusion detection model is limited by the problems that the feature selection effect is not good, the separation state is presented between the feature selection and the classification training modeling, the compatibility is not good, the defects of low detection precision and high false alarm rate are often presented, and the existing modeling mode cannot be well applied to large-scale intrusion detection log data.
Disclosure of Invention
The invention aims to solve the problems that the search efficiency of feature selection in the existing intrusion detection model is not high, the minimum feature subset search cannot be solved, and the search and modeling are difficult to carry out parameter optimization synchronously, and provides an intrusion detection method based on a tabu and artificial bee colony bidirectional optimization support vector machine.
In order to solve the problems, the invention is realized by the following technical scheme:
the intrusion detection method based on the tabu and the artificial bee colony bidirectional optimization support vector machine comprises a training stage and a detection stage;
the training phase comprises the following steps:
step 1, collecting network connection data in a network as a training set of an intrusion detection system;
step 2, carrying out data preprocessing on the training set;
step 3, setting parameters of a taboo algorithm and a swarm algorithm in a taboo and artificial swarm bidirectional optimization support vector machine model;
step 4, performing iterative optimization on the taboo and artificial bee colony bidirectional optimization support vector machine model on a training set, namely bidirectional optimization network connection characteristics and support vector machine model parameters, and finally generating an optimal honey source, namely an optimal network connection characteristic vector and a support vector machine model parameter vector;
step 5, setting parameters of the support vector machine according to the optimal network connection characteristic vector and the support vector machine model parameter vector generated in the step 4, and finally obtaining a network intrusion detection model;
the detection stage comprises the following steps:
step 6, collecting the network connection data packet to be detected in real time, and preprocessing the network connection data packet to be detected by adopting the same preprocessing mode as the step 2;
step 7, according to the optimal network connection characteristic vector generated in the step 4, performing characteristic extraction and dimension reduction on the preprocessed network connection data to be detected to obtain the network connection data after characteristic extraction;
and 8, inputting the network connection data obtained after the characteristic extraction in the step 7 into the network intrusion detection model obtained in the step 5 for intrusion detection, and generating corresponding alarm information to inform an administrator to process once an attack is detected.
In the step 3, the set parameters of the bee colony algorithm include the number NP of bee colony populations, the number m of honey sources, the maximum evolution iteration number MCN and the maximum development times limit of the honey sources; the parameters of the set tabu algorithm comprise 3 tabu tables T1-T3Length of (1) | T1|-|T3|。
The number m of the honey sources is half of the number NP of the bee colony populations, namely m is NP/2.
Tabu watch T2Length of (1) | T2Table of taboo | < T1Length of (1) | T1Table of taboo | < T3Length of (1) | T3|。
The step 4 specifically includes the following substeps:
step 4.1, randomly generating m honey sources according to the network connection data in the training set, wherein the honey sources are the initial network connection characteristic vector and the support vector machine model parameter vector; calculating the adaptation values of m honey sources, comparing and selecting the honey source with the highest adaptation value of the m honey sources, and assigning the adaptation value of the honey source to the current craving level C (x);
step 4.2, hiring bee stage:
step 4.2.1, selecting 1 honey source which is not subjected to neighborhood search in the hiring bee stage from the m honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source;
step 4.2.2, comparing the fitness value of the new honey source with the current craving level c (x):
if the adaptation value of the new honey source is greater than the current craving level C (x), replacing the old honey source with the new honey source, setting the development times of the honey source to 0, assigning the adaptation value of the new honey source to the craving level C (x), and turning to the step 4.2.3;
if the adaptation value of the new honey source is less than or equal to the current craving level C (x), further judging whether the new honey source is in the tabu table T3Or tabu watch T1The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T1And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is greater than that of the old honey source, the new honey source is substituted for the old honey source, the development times of the honey source are set to 0, and the new honey source is put into a tabu table T1And go to step 4.2.3;
if the adaptation value of the new honey source is smaller than or equal to the adaptation value of the old honey source, the old honey source is kept, the development frequency of the current honey source is increased by 1, and the step 4.2.3 is switched;
if the new honey source is in the tabu table T3Or tabu watch T1In the middle, the old honey source is kept, and the development times of the current honey source are countedAdd 1 and go to step 4.2.3;
4.2.3, if all m honey sources are subjected to neighborhood search in the bee hiring stage, turning to the step 4.3, entering a bee observation stage, and otherwise, turning to the step 4.2.1;
step 4.3, bee observation stage:
4.3.1, calculating the selected probability of the m honey sources, and selecting m' honey sources with higher fitness from the m honey sources according to a roulette mechanism;
step 4.3.2, selecting 1 honey source which is not subjected to neighborhood search in the observation bee stage from m' honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source;
step 4.3.3, comparing the fitness value of the new honey source with the current craving level c (x):
if the adaptation value of the new honey source is greater than the current craving level c (x), the new honey source is substituted for the old honey source, the development frequency of the honey source is set to 0, the adaptation value of the new honey source is assigned to the craving level c (x), and the process goes to step 4.3.4;
if the adaptation value of the new honey source is less than or equal to the current craving level C (x), further judging whether the new honey source is in the tabu table T3Or tabu watch T2The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T2And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is greater than that of the old honey source, the new honey source is substituted for the old honey source, the development times of the honey source are set to 0, and the new honey source is put into a tabu table T2And proceeds to step 4.3.4;
if the adaptation value of the new honey source is less than or equal to the adaptation value of the old honey source, the old honey source is kept, the development times of the current honey source are added by 1, and the step 4.3.4 is switched to;
if the new honey source is in the tabu table T3Or tabu watch T2If yes, the old honey source is kept, meanwhile, 1 is added to the development times of the current honey source, and the process goes to step 4.3.4;
4.3.4, if all m' honey sources are subjected to neighborhood search in the observation bee stage, turning to the step 4.4, entering a reconnaissance bee stage, and otherwise, turning to the step 4.3.2;
step 4.4, detecting bees:
step 4.4.1, putting the honey sources with the development times reaching the maximum development times limit in the m honey sources into a tabu table T3Performing the following steps;
step 4.4.2, judging whether the evolution iteration number of the bee colony reaches the maximum evolution iteration number MCN or whether the optimal honey source is not increased after updating for a preset limited number of times:
if yes, selecting the honey source with the highest adaptive value from the m honey sources as an optimal honey source, wherein the optimal honey source is the optimal network connection characteristic vector and the support vector machine model parameter vector;
otherwise, adding 1 to the current evolution iteration number, and turning to the step 4.2 to perform the next iteration optimization.
Compared with the prior art, the invention has the following characteristics:
firstly, the neighborhood searching capability of the artificial bee colony algorithm is improved by introducing a tabu table T, and a TS-ABC algorithm is provided;
secondly, contraindication tables with different lengths are flexibly used according to the requirements of different search stages of the artificial bee colony, the algorithm is prevented from falling into local optimum timely due to looseness, and the convergence of the algorithm is accelerated;
thirdly, the judgment of the fitness function is improved by introducing a reward and punishment mechanism, the selection rate of inferior solutions is improved, the over-fast convergence of superior solutions is punished, and the diversity of the solutions can be effectively expanded;
fourthly, distinguishing the feature selection and optimizing the parameters of the support vector machine SVM are synchronously carried out, and the complexity of the algorithm is reduced.
Drawings
Fig. 1 is a flow chart of an optimization process of an intrusion detection model based on a tabu and artificial bee colony bidirectional optimization support vector machine.
FIG. 2 is a flow chart of neighborhood search updating current honey sources, craving levels, and contraindications during the peak employment phase and the bee observation phase.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings in conjunction with specific examples.
The intrusion detection method based on the tabu and artificial bee colony bidirectional optimization support vector machine comprises the steps of firstly reconstructing an original artificial bee colony algorithm, synchronously coding honey sources and parameters to be optimized of the support vector machine, generating an initial solution of the honey sources by utilizing a random generation mode, and searching an optimal feature subset based on a tabu-artificial bee colony search strategy. Specifically, a first tabu table is introduced in a search stage of the employed bees, the found local optimal solutions are stored and memorized, and the local optimal solutions are avoided in the subsequent preset iterations; a second tabu table is introduced in the bee observation stage, and a reward and punishment mechanism is added to improve the fitness function of the honey source, so that the diversity of the solution is improved; finally, introducing a third tabu table to store a solution which is not improved when the adaptive value of the maximum development times is reached in the scout bee stage; in addition, the judgment of the quality of the honey source and the parameter optimization of the support vector machine are synchronously carried out in the whole searching process, and the dependency of the two optimization processes is utilized, so that the time complexity and the space complexity of the algorithm are better reduced, and the method can be well applied to intrusion detection classification in high-dimensional data. The invention has strong feasibility and good practicability.
An intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine comprises the following specific steps:
stage I: training phase
Step 1, firstly, a network connection data packet is obtained, and a connection record is generated and used as a training set of an intrusion detection system.
In the present embodiment, the training set used is a network intrusion detection standard data set KDD CUP99, and the data format is exemplified as follows:
0,tcp,http,SF,275,2580,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,16,255,1.00,0.00,0.06,0.06,0.00,0.00,0.00,0.00,normal.
and 2, preprocessing data of the training set.
In this embodiment, the character-type features are subjected to numerical coding and then converted into a numerical type, and data is subjected to numerical normalization processing, each piece of connection data is normalized to [0, 1], and then is converted into an input format of a support vector machine by using the following formula:
in the formula: x is the number ofiAnd yiRespectively representing the values of the feature i before and after normalization, max (x)i) And min (x)i) Respectively representing the maximum and minimum of the feature i before normalization.
For example:
1 1:0.0 2:0.0 3:0.30434782608695654 4:0.9 5:1.7464225121809854E-7 6:1.977193717824078E-7 7:0.0 8:0.0 9:0.0 10:0.0 11:0.0 12:1.0 13:0.0 14:0.0 15:0.0 16:0.0 17:0.0
18:0.0 19:0.0 20:0.0 21:0.0 22:0.0 23:0.0019569471624266144 24:0.0019569471624266144 25:0.0 26:0.0
27:0.0 28:0.0 29:1.0 30:0.0 31:0.0 32:0.054901960784313725 33:0.5843137254901961 34:1.0 35:0.0 36:0.07 37:0.04 38:0.0 39:0.0 40:0.0 41:0.0。
and 3, setting initial parameters of a tabu algorithm and a swarm algorithm in a tabu and artificial swarm bidirectional optimization support vector machine model.
The set parameters of the bee colony algorithm comprise the number NP of bee colony populations, the number m of honey sources, the maximum evolution iteration number MCN and the maximum development times limit of the honey sources. In the swarm algorithm, each of the employed bees and the observation bees accounts for half of the swarm population number NP, the employed bee number is equal to the number of honey sources (each honey source has only one employed bee, and when one honey source is abandoned, the corresponding employed bee becomes a scout bee), namely the number m of the honey sources is NP/2. Each honey source xi(i-1, 2, … m) using a d-dimensional vector xi=(xi1,xi2,…,xid)TWhere d is the number of features of the problem to be optimized, and the value of d is 41 in the present intrusion detection model.
The parameters of the set tabu algorithm comprise 3 tabu tables T1-T3Length of (1) | T1|-|T3|。
In the tabu algorithm, a tabu table T1-T3Initially empty, in a first-in-first-out manner, with tabbed length | Ti| represents the maximum storable | T |i| Honey sources, in this embodiment, the length of 3 tabu tables is | T2|<|T1|<|T3L. The craving level c (x) represents the historical best fit among all honey sources, with an initial value of zero.
And 4, performing iterative optimization on the taboo and artificial bee colony bidirectional optimization support vector machine model on a training set, namely bidirectional optimization network connection characteristics and support vector machine model parameters, and finally generating an optimal network connection characteristic vector and an optimal support vector machine model vector. See fig. 1 and 2.
(1) And designing a parameter synchronous coding scheme of the honey source and the support vector machine model.
In the invention, because the data dimension reduction processing is carried out by adopting a feature selection mode of a packaging support vector machine, the quality of the detection model establishment can be directly influenced by parameters of the support vector machine, such as a penalty factor C and an RBF kernel function gamma. Generally, grid-search or cross-validation is used to obtain the optimal C and γ, and then the optimal C and γ are set in a training model to determine the optimal connection features, so that the parameters of the support vector machine model set empirically cannot guarantee the quality of the selected features, and the fixed connection features cannot guarantee the quality of the detection model when the parameters of the model are optimized, and the optimization processes of the two have dependency, so that the two parameters are synchronously optimized by using a method for synchronously encoding, as shown in the following formula:
Solutionsource={(T,P)|T=(t1,t2,……,tn),ti∈{0,1},i=1,2,……n;
P=(C,γ),lc≤C≤uc,lγ≤γ≤uγ}
wherein T is (T)1,t2,……,tn) Representing a vector consisting of n-dimensional network connection data features, each component having two values, 1 representing that the component (i.e., feature) is selected and 0 representing that the feature is not selected, e.g., T ═ 1,1,0,1,1,1,1,1,0,0,0, 1,1,1,0,1,0,1,1, 1,1,1,0,1,1,1, and 0]Indicating that the selected feature is [1,2, 4,5,6, 8,9,10,11,12,18,19,24,25,26,28, 30,31,35,36,37,39,41](ii) a And P-is (C, gamma) represents a vector consisting of a support vector machine model parameter penalty factor C and an RBF kernel function parameter gamma.
(2) And (4) a neighborhood searching mode of the honey source.
Greedy search is adopted in a neighborhood search mode of a classic artificial bee colony, neighborhood search capability is not strong, the bee colony is prone to being trapped in local optimization, in order to avoid roundabout search of the bee colony, mountain climbing capability of neighborhood search is enhanced, and therefore tabu tables with different lengths are reasonably introduced in different stages of iterative optimization to carry out tabu sealing on a searched honey source, and a local optimal solution is jumped out.
(3) And observing the calculation of the bee stage following probability.
The following probability of observation bees in a classic artificial bee colony algorithm is calculated by using a roulette mode, generally, the probability is calculated in such a way that the probability that a honey source with a larger adaptation value is selected is larger, most observation bees are recruited to the honey source, so that a population is easy to rapidly evolve towards an individual with a higher adaptation value, the diversity of the population individual is poor, the population is extremely early mature, and the ability of the population to evolve towards the whole situation is lost. Therefore, the invention improves the probability calculation method of the classical algorithm to calculate the following probability Prob (x) of the observation bees in the roulette mechanismi)。
The classical calculation formula is:
the improved calculation formula is as follows:
in the formula, Prob (x)i) Means the probability that the ith honey source (solution) is selected, and fit (i) is the fitness value of the ith honey source, corresponding to the richness of the honey source, fit' (x)i) The fitness function value of the honey source improved by a reward and punishment mechanism is shown, c is a punishment parameter, and l (x)i) The number of 1 contained in the honey source individual.
Calculation of the fitness function: honey source xiAll fitness evaluation functions are determined by adopting the average value of the K-fold cross validation accuracy of the support vector machine, and the support vector machine performs selection of a kernel function parameter gamma and a punishment parameter C while evaluating the quality of the honey source. The fitness function value of the honey source, which is the average value of the K-fold cross validation rate of the support vector machine, is:
and 4.1, randomly generating m honey sources according to the network connection data in the training set, wherein the honey sources are the initial network connection characteristic vector and the support vector machine model parameter vector. Calculating the adaptation values of the m honey sources, comparing and selecting the honey source with the highest adaptation value of the m honey sources, and assigning the adaptation value of the honey source to the current craving level C (x).
Step 4.2, hiring bee stage:
and 4.2.1, selecting 1 honey source which is not subjected to neighborhood search in the hiring bee stage from the m honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source.
Step 4.2.2, comparing the fitness value of the new honey source with the current craving level c (x):
if the adaptation value of the new honey source is greater than the current craving level c (x), the new honey source is substituted for the old honey source, the development frequency of the honey source is set to 0, the adaptation value of the new honey source is assigned to the craving level c (x), and the process goes to step 4.2.3.
If new honey sourceIf the adaptation value is less than or equal to the current craving level C (x), further determining whether the new honey source is in the tabu table T3Or tabu watch T1The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T1And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is greater than that of the old honey source, the new honey source is substituted for the old honey source, the development times of the honey source are set to 0, and the new honey source is put into a tabu table T1And go to step 4.2.3.
And if the adaptation value of the new honey source is smaller than or equal to the adaptation value of the old honey source, keeping the old honey source, adding 1 to the development times of the current honey source, and turning to the step 4.2.3.
If the new honey source is in the tabu table T3Or tabu watch T1And keeping the old honey source, adding 1 to the development frequency of the current honey source, and turning to the step 4.2.3.
And 4.2.3, if all m honey sources are subjected to neighborhood search in the bee hiring stage, turning to the step 4.3, entering a bee observation stage, and otherwise, turning to the step 4.2.1.
Step 4.3, bee observation stage:
and 4.3.1, calculating the selected probability of the m honey sources, and selecting the m' honey sources with higher fitness from the m honey sources according to a roulette mechanism. In the present invention, m' is an indeterminate random number whose value is randomly determined by the roulette mechanism.
And 4.3.2, selecting 1 honey source which is not subjected to neighborhood search in the observation bee stage from the m' honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source.
Step 4.3.3, comparing the fitness value of the new honey source with the current craving level c (x):
if the fitness value of the new honey source is greater than the current craving level c (x), the new honey source is substituted for the old honey source, the development frequency of the honey source is set to 0, the fitness value of the new honey source is assigned to the craving level c (x), and the process goes to step 4.3.4.
Suitability for new honey sourcesIf the corresponding value is less than or equal to the current craving level C (x), further judging whether the new honey source is in the tabu table T3Or tabu watch T2The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T2And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is greater than that of the old honey source, the new honey source is substituted for the old honey source, the development times of the honey source are set to 0, and the new honey source is put into a tabu table T2And proceeds to step 4.3.4.
If the adaptation value of the new honey source is less than or equal to the adaptation value of the old honey source, the old honey source is maintained, and the number of developments of the current honey source is increased by 1, going to step 4.3.4.
If the new honey source is in the tabu table T3Or tabu watch T2In step 4.3.4, the old honey source is maintained while the current honey source is developed more frequently than 1.
And 4.3.4, if all m' honey sources are subjected to neighborhood search in the observation bee stage, turning to the step 4.4, entering a reconnaissance bee stage, and otherwise, turning to the step 4.3.2.
Step 4.4, detecting bees:
step 4.4.1, putting the honey sources with the development times reaching the maximum development times limit in the m honey sources into a tabu table T3In (1).
Step 4.4.2, judging whether the evolution iteration number of the bee colony reaches the maximum evolution iteration number MCN or whether the optimal honey source is not increased after updating for a preset limited number of times:
if yes, selecting the honey source with the highest adaptive value from the m honey sources as an optimal honey source, wherein the optimal honey source is the optimal network connection characteristic vector and the support vector machine model parameter vector.
Otherwise, adding 1 to the current evolution iteration number, and turning to the step 4.2 to perform the next iteration optimization.
Optimizing an intrusion detection model based on a tabu and artificial bee colony bidirectional optimization support vector machine, firstly synchronously coding parameters of a honey source and the support vector machine,randomly generating an initial honey source; secondly, redesigning and constructing a fitness function in a neighborhood searching stage of the honey source, wherein the construction comprises the following steps: using a first tabu table T during the hiring stage1Carrying out tabu sealing on the found current optimal honey source, and updating a tabu table according to continuous iteration and search criteria of the honey source; then, in the stage of observing bees, on the selection probability of roulette of honey source, a fitness function with a penalty factor is constructed, and a second tabu table T is introduced2(ii) a Finally, a third tabu table T is introduced3And memorizing the abandoned solution when the development times in the iteration reach limit times, updating according to the optimal solution obtained by each cycle, avoiding falling into local optimization, reducing the calculation complexity of the algorithm, and ending the whole algorithm process when the maximum evolution iteration times is reached or the optimal feature subset is found. And finally, based on the taboo and artificial bee colony bidirectional optimization support vector machine model, an intrusion detection method based on the taboo and artificial bee colony bidirectional optimization support vector machine is provided. The invention solves the global problems that the search efficiency of feature selection in the existing intrusion detection model is not high, the NP difficulty of minimum feature subset search cannot be solved, and the parameter optimization is difficult to be synchronously carried out on the search and the modeling, and has stronger feasibility and good practicability.
And 5, setting parameters of the support vector machine according to the optimal network connection characteristic vector and the support vector machine model parameter vector generated in the step 4, and finally obtaining a network intrusion detection model.
And stage II: detection phase
Step 6, collecting network connection data packets in real time, and preprocessing the network connection data packets by adopting the same data preprocessing mode as the step 2 to obtain data to be detected;
step 7, according to the optimal network connection characteristic vector generated in the step 4, performing characteristic extraction and dimensionality reduction on the preprocessed data to be detected to obtain network connection data;
and 8, inputting the network connection data obtained after the characteristic extraction in the step 7 into the network intrusion detection model obtained in the step 5 for intrusion detection, and generating corresponding alarm information to inform an administrator to process once an attack is detected.
The invention utilizes the advantages of a tabu table for avoiding roundabout search in tabu search and properly introduces the tabu table into three search stages of the artificial bee colony to overcome the defects that the artificial bee colony is easy to fall into local optimum and has low convergence speed; in the stage of searching the observation bees of the artificial bee colony, a punishment mechanism is introduced, a fitness function of a bee source is reconstructed, a certain punishment is applied to individuals containing more features, the probability of selecting the individuals is reduced, meanwhile, a certain reward is given to the individuals containing less features, and the probability of selecting the individuals is increased. By considering the interdependency of optimization of the honey source and the support vector machine and adopting a mode of synchronously encoding the parameters of the honey source and the support vector machine, bidirectional optimization is carried out, so that not only can the time complexity of the algorithm be reduced, but also the space complexity of the algorithm can be reduced.
It should be noted that, although the above-mentioned embodiments of the present invention are illustrative, the present invention is not limited thereto, and thus the present invention is not limited to the above-mentioned embodiments. All other embodiments that may be devised by those skilled in the art without departing from the principles of the invention are deemed to be within the scope and spirit of the invention.
Claims (4)
1. The intrusion detection method based on the tabu and the artificial bee colony bidirectional optimization support vector machine is characterized by comprising a training stage and a detection stage;
the training phase comprises the following steps:
step 1, collecting network connection data in a network as a training set of an intrusion detection system;
step 2, carrying out data preprocessing on the training set;
step 3, setting parameters of a taboo algorithm and a swarm algorithm in a taboo and artificial swarm bidirectional optimization support vector machine model; meanwhile, setting the initial value of the current craving level C (x) representing the historical optimal adaptation values in all the honey sources to be zero;
step 4, performing iterative optimization on the taboo and artificial bee colony bidirectional optimization support vector machine model on a training set, namely bidirectional optimization network connection characteristics and support vector machine model parameters, and finally generating an optimal honey source, namely an optimal network connection characteristic vector and a support vector machine model parameter vector; namely:
step 4.1, randomly generating m honey sources according to the network connection data in the training set, wherein the honey sources are the initial network connection characteristic vector and the support vector machine model parameter vector; calculating the adaptation values of m honey sources, comparing and selecting the honey source with the highest adaptation value of the m honey sources, and assigning the adaptation value of the honey source to the current craving level C (x);
step 4.2, hiring bee stage:
step 4.2.1, selecting 1 honey source which is not subjected to neighborhood search in the hiring bee stage from the m honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source;
step 4.2.2, comparing the fitness value of the new honey source with the current craving level c (x):
if the adaptation value of the new honey source is larger than the current craving level C (x), replacing the old honey source with the new honey source as the current honey source, setting the development times of the current honey source to 0, assigning the adaptation value of the new honey source to the current craving level C (x), and turning to the step 4.2.3;
if the adaptation value of the new honey source is less than or equal to the current craving level C (x), further judging whether the new honey source is in the tabu table T3Or tabu watch T1The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T1And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is larger than the adaptation value of the old honey source, the new honey source replaces the old honey source to serve as the current honey source, meanwhile, the development times of the current honey source are set to be 0, and the new honey source is placed in a tabu table T1And go to step 4.2.3;
if the adaptation value of the new honey source is smaller than or equal to the adaptation value of the old honey source, keeping the old honey source as the current honey source, adding 1 to the development frequency of the current honey source, and turning to the step 4.2.3;
if the new honey source is in the tabu table T3Or tabu watch T1If so, keeping the old honey source as the current honey source, adding 1 to the development frequency of the current honey source, and turning to the step 4.2.3;
4.2.3, if all m honey sources are subjected to neighborhood search in the bee hiring stage, turning to the step 4.3, entering a bee observation stage, and otherwise, turning to the step 4.2.1;
step 4.3, bee observation stage:
4.3.1, calculating the selected probability of the m honey sources, and selecting m' honey sources with higher fitness from the m honey sources according to a roulette mechanism;
step 4.3.2, selecting 1 honey source which is not subjected to neighborhood search in the observation bee stage from m' honey sources as an old honey source, and performing neighborhood search on the old honey source to obtain 1 new honey source;
step 4.3.3, comparing the fitness value of the new honey source with the current craving level c (x):
if the adaptation value of the new honey source is greater than the current craving level C (x), replacing the old honey source with the new honey source as the current honey source, setting the development times of the current honey source to 0, assigning the adaptation value of the new honey source to the current craving level C (x), and turning to step 4.3.4;
if the adaptation value of the new honey source is less than or equal to the current craving level C (x), further judging whether the new honey source is in the tabu table T3Or tabu watch T2The method comprises the following steps:
if the new honey source is not in the tabu table T3Not in tabu chart T2And further comparing the adaptation values of the new honey source and the old honey source:
if the adaptation value of the new honey source is larger than the adaptation value of the old honey source, the new honey source replaces the old honey source to serve as the current honey source, meanwhile, the development times of the current honey source are set to be 0, and the new honey source is placed in a tabu table T2And proceeds to step 4.3.4;
if the adaptation value of the new honey source is less than or equal to the adaptation value of the old honey source, keeping the old honey source as the current honey source, adding 1 to the development frequency of the current honey source, and turning to step 4.3.4;
if the new honey source is in the tabu table T3Or tabu watch T2If yes, the old honey source is kept as the current honey source, meanwhile, the development frequency of the current honey source is added by 1, and the process goes to step 4.3.4;
4.3.4, if all m' honey sources are subjected to neighborhood search in the observation bee stage, turning to the step 4.4, entering a reconnaissance bee stage, and otherwise, turning to the step 4.3.2;
step 4.4, detecting bees:
step 4.4.1, putting the honey sources with the development times reaching the maximum development times limit in the m honey sources into a tabu table T3Performing the following steps;
step 4.4.2, judging whether the evolution iteration number of the bee colony reaches the maximum evolution iteration number MCN or whether the optimal honey source is not increased after updating for a preset limited number of times:
if yes, selecting the honey source with the highest adaptive value from the m honey sources as an optimal honey source, wherein the optimal honey source is the optimal network connection characteristic vector and the support vector machine model parameter vector;
otherwise, adding 1 to the current evolution iteration number, and turning to the step 4.2 to perform next iteration optimization;
step 5, setting parameters of the support vector machine according to the optimal network connection characteristic vector and the support vector machine model parameter vector generated in the step 4, and finally obtaining a network intrusion detection model;
the detection stage comprises the following steps:
step 6, collecting the network connection data packet to be detected in real time, and preprocessing the network connection data packet to be detected by adopting the same preprocessing mode as the step 2;
step 7, according to the optimal network connection characteristic vector generated in the step 4, performing characteristic extraction and dimension reduction on the preprocessed network connection data to be detected to obtain the network connection data after characteristic extraction;
and 8, inputting the network connection data obtained after the characteristic extraction in the step 7 into the network intrusion detection model obtained in the step 5 for intrusion detection, and generating corresponding alarm information to inform an administrator to process once an attack is detected.
2. The intrusion detection method based on the tabu and artificial bee colony bidirectional optimization support vector machine as claimed in claim 1, wherein the parameters of the bee colony algorithm set in step 3 include the number NP of bee colony populations, the number m of honey sources, the maximum evolutionary iteration number MCN and the maximum development times limit of honey sources; the parameters of the set tabu algorithm comprise 3 tabu tables T1~T3Length | T of1|~|T3|。
3. The intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine according to claim 2, wherein the number m of honey sources is half of the number NP of bee colony populations, i.e. m = NP/2.
4. The intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine according to claim 2, wherein the tabu table T is2Length | T of2| < tabu table T1Length | T of1| < tabu table T3Length | T of3|。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810258288.0A CN108446562B (en) | 2018-03-27 | 2018-03-27 | Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810258288.0A CN108446562B (en) | 2018-03-27 | 2018-03-27 | Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108446562A CN108446562A (en) | 2018-08-24 |
| CN108446562B true CN108446562B (en) | 2021-08-03 |
Family
ID=63196902
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810258288.0A Expired - Fee Related CN108446562B (en) | 2018-03-27 | 2018-03-27 | Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108446562B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110298399B (en) * | 2019-06-27 | 2022-11-25 | 东北大学 | Freeman chain code and moment feature fusion-based pumping well fault diagnosis method |
| CN110489790B (en) * | 2019-07-10 | 2022-09-13 | 合肥工业大学 | IGBT junction temperature prediction method based on improved ABC-SVR |
| CN110727943B (en) * | 2019-10-11 | 2022-08-16 | 中山职业技术学院 | Intrusion detection method and device |
| CN112819031B (en) * | 2021-01-04 | 2022-06-17 | 中国汽车技术研究中心有限公司 | Vehicle-mounted weight prediction method and system, electronic device and medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103871002A (en) * | 2014-03-25 | 2014-06-18 | 上海电机学院 | Wind power forecast method and device based on self-adaptation bee colony algorithm |
| CN105930864A (en) * | 2016-04-15 | 2016-09-07 | 杭州电子科技大学 | EEG (electroencephalogram) signal feature classification method based on ABC-SVM |
| CN106097127A (en) * | 2016-06-20 | 2016-11-09 | 西安科技大学 | Forecast of Gas Emission method based on ABC ACC algorithm and forecast model construction method |
| CN107067075A (en) * | 2016-10-11 | 2017-08-18 | 河南大学 | A kind of urban land ecological safety space exploration model based on artificial bee colony algorithm |
| CN107465664A (en) * | 2017-07-07 | 2017-12-12 | 桂林电子科技大学 | Intrusion detection method based on parallel more artificial bee colony algorithms and SVMs |
| CN107644127A (en) * | 2017-09-08 | 2018-01-30 | 西安工程大学 | Diagnosis Method of Transformer Faults based on IMABC Support Vector Machines Optimizeds |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10289751B2 (en) * | 2013-03-15 | 2019-05-14 | Konstantinos (Constantin) F. Aliferis | Data analysis computer system and method employing local to global causal discovery |
-
2018
- 2018-03-27 CN CN201810258288.0A patent/CN108446562B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103871002A (en) * | 2014-03-25 | 2014-06-18 | 上海电机学院 | Wind power forecast method and device based on self-adaptation bee colony algorithm |
| CN105930864A (en) * | 2016-04-15 | 2016-09-07 | 杭州电子科技大学 | EEG (electroencephalogram) signal feature classification method based on ABC-SVM |
| CN106097127A (en) * | 2016-06-20 | 2016-11-09 | 西安科技大学 | Forecast of Gas Emission method based on ABC ACC algorithm and forecast model construction method |
| CN107067075A (en) * | 2016-10-11 | 2017-08-18 | 河南大学 | A kind of urban land ecological safety space exploration model based on artificial bee colony algorithm |
| CN107465664A (en) * | 2017-07-07 | 2017-12-12 | 桂林电子科技大学 | Intrusion detection method based on parallel more artificial bee colony algorithms and SVMs |
| CN107644127A (en) * | 2017-09-08 | 2018-01-30 | 西安工程大学 | Diagnosis Method of Transformer Faults based on IMABC Support Vector Machines Optimizeds |
Non-Patent Citations (1)
| Title |
|---|
| DDos攻击检测技术的研究与实现;段宣翡;《中国优秀硕士学位论文全文数据库•信息科技辑》;20180315;15,44-45页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108446562A (en) | 2018-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108446562B (en) | Intrusion detection method based on tabu and artificial bee colony bidirectional optimization support vector machine | |
| CN110166454B (en) | Mixed feature selection intrusion detection method based on adaptive genetic algorithm | |
| CN111614491B (en) | Power monitoring system oriented safety situation assessment index selection method and system | |
| CN111343171B (en) | Intrusion detection method based on mixed feature selection of support vector machine | |
| CN106778259A (en) | A kind of abnormal behaviour based on big data machine learning finds method and system | |
| CN111598179B (en) | Power monitoring system user abnormal behavior analysis method, storage medium and equipment | |
| CN113221112B (en) | Malicious behavior identification method, system and medium based on weak correlation integration strategy | |
| Anil et al. | A hybrid method based on genetic algorithm, self-organised feature map, and support vector machine for better network anomaly detection | |
| CN110826617A (en) | Situation element classification method and training method and device of model thereof, and server | |
| Wu et al. | Genetic algorithm with multiple fitness functions for generating adversarial examples | |
| CN108062363A (en) | A kind of data filtering method and system towards active power distribution network | |
| Suman et al. | Building an effective intrusion detection system using unsupervised feature selection in multi-objective optimization framework | |
| CN114943077B (en) | Malicious PDF file countermeasure sample generation method based on deep reinforcement learning | |
| CN108737429B (en) | Network intrusion detection method | |
| Čavojský et al. | Comparative Analysis of Feed-Forward and RNN Models for Intrusion Detection in Data Network Security with UNSW-NB15 Dataset | |
| CN116192537B (en) | APT attack report event extraction method, system and storage medium | |
| Wang et al. | An efficient intrusion detection model combined bidirectional gated recurrent units with attention mechanism | |
| Babu et al. | Improved Monarchy Butterfly Optimization Algorithm (IMBO): Intrusion Detection Using Mapreduce Framework Based Optimized ANU-Net. | |
| CN114282130A (en) | Fraud website identification method based on selection of mutant moth flame optimization algorithm | |
| CN112257073A (en) | Webpage duplicate removal method based on improved DBSCAN algorithm | |
| CN112653711A (en) | Network intrusion behavior feature selection method and device and storage medium | |
| CN114936285B (en) | Crisis information detection method and system based on antagonistic multi-mode automatic encoder | |
| Li et al. | Intrusion Detection Method Based on Genetic Algorithm of Optimizing LightGBM | |
| Gao et al. | High utility itemsets mining based on hybrid harris hawk optimization and beluga whale optimization algorithms | |
| Shokripoor Bahman Bigloo | A Parallel Genetic Algorithm Based Method for Feature Subset Selection in Intrusion Detection Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20210803 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |