CN112052450B - Intrusion detection method and device based on negative selection algorithm - Google Patents
Intrusion detection method and device based on negative selection algorithm Download PDFInfo
- Publication number
- CN112052450B CN112052450B CN202010733504.XA CN202010733504A CN112052450B CN 112052450 B CN112052450 B CN 112052450B CN 202010733504 A CN202010733504 A CN 202010733504A CN 112052450 B CN112052450 B CN 112052450B
- Authority
- CN
- China
- Prior art keywords
- detector
- empty
- grid
- data
- grid object
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 53
- 238000000034 method Methods 0.000 claims abstract description 33
- 238000012549 training Methods 0.000 claims description 26
- 230000008569 process Effects 0.000 claims description 15
- 238000010276 construction Methods 0.000 claims description 3
- 230000009191 jumping Effects 0.000 claims description 3
- 239000000725 suspension Substances 0.000 claims description 3
- 238000004364 calculation method Methods 0.000 abstract description 4
- 210000000987 immune system Anatomy 0.000 description 7
- 239000000427 antigen Substances 0.000 description 5
- 102000036639 antigens Human genes 0.000 description 5
- 108091007433 antigens Proteins 0.000 description 5
- 238000002474 experimental method Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 3
- 238000013377 clone selection method Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008073 immune recognition Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 210000001744 T-lymphocyte Anatomy 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006054 immunological memory Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000011664 nicotinic acid Substances 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 244000052769 pathogen Species 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000010845 search algorithm Methods 0.000 description 1
- 241000894007 species Species 0.000 description 1
- 238000012706 support-vector machine Methods 0.000 description 1
- 210000001541 thymus gland Anatomy 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Data Mining & Analysis (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Burglar Alarm Systems (AREA)
Abstract
The invention provides an intrusion detection method and device based on a negative selection algorithm. The method comprises the steps of firstly, carrying out grid division on a characteristic space represented by a data set to form a plurality of equal-size grid objects. The purpose of the algorithm is to find out the non-self area covered by the detector as much as possible, and the empty grid object can be directly used as a candidate detector because the empty grid object does not contain self data and is equivalent to the non-self area; for non-empty grid objects, candidate detectors are generated in each non-empty grid object in sequence by using a traditional algorithm to reduce the time cost of distance calculation, the generation efficiency of the detectors is improved, and the algorithm takes the coverage rate of the expected non-empty grid object area as a termination condition. Experimental results show that the efficiency and performance of the algorithm are obviously superior to those of the classical negative selection algorithm.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion detection method and device based on a negative selection algorithm.
Background
Intrusion detection (Intrusion Detection) is the process of identifying those features that attempt to compromise the confidentiality, integrity, security, etc., of a computer or computer network. The essence of intrusion detection is that the key information of a computer host or a computer network is analyzed, the main characteristics are extracted, the main characteristics are correspondingly compared with the basic general computer mode, and then intelligent judgment is made. Because of the importance of network security, students at home and abroad try to apply algorithms in various fields to intrusion detection, and common methods include: serial algorithms of artificial immune system, artificial neural network, group intelligent algorithm, support vector machine, etc.
The main intrusion detection problem solving methods at present have the following defects:
(1) When the traditional intrusion detection technology processes large-scale network data, the processing speed is low, the real-time performance is low, effective features cannot be effectively extracted from a large amount of data, and the detection efficiency is low.
(2) The traditional intrusion detection technology is faced with complex and changeable network environments, and phenomena such as missing report, false report and the like often occur.
An ideal intrusion detection method should be able to accurately detect intrusion activity and be able to react quickly when intrusion activity is detected, these characteristics being very similar to the biological immune system. The artificial immune system is a bionic intelligent computing method which solves the problems in the field of computers inspired by the functions, principles and methods of the biological immune system. The artificial immune system designs an immune model and an immune algorithm by simulating a processing mode of the biological immune system to external pathogens, and researches are mainly focused on aspects of immune recognition, immune learning, immune memory, clone selection, immune network and the like, wherein a negative selection algorithm and a clone selection algorithm in the immune recognition model are commonly used for solving the intrusion detection problem.
The negative selection algorithm is widely applied to network intrusion detection, but the negative selection algorithm still has the problems of high false alarm rate, low accuracy, high redundancy of a detector set and the like when the intrusion detection problem is solved. For example, ZHOU J et al propose a radius-variable real-valued negative selection algorithm (V-Detector) that, for randomly generated candidate detectors, determines the Detector radius by calculating the distance of the nearest auton to the candidate Detector, while reducing Detector redundancy to some extent, still does not effectively solve the "black hole" problem; LIU Z et al propose an improved subspace density search-based negative selection algorithm (SDS-RNSA), which acquires dense subspace regions of sample data through a subspace density search algorithm, and generates a detector in each subspace region to improve the efficiency and performance of the algorithm, but the false alarm rate in the detection process is slightly higher; CHEN W et al propose a negative selection algorithm (ASSC-NSA) based on antigen soft subspace clustering, which uses antigen soft subspace clustering to calculate individual key features of different antigen species and weights thereof, and then directs detector generation through these key features to effectively reduce detector redundancy, but the algorithm has low detector generation efficiency.
Noun interpretation:
negative selection algorithm: the negative selection algorithm is a novel intelligent algorithm which is inspired by a thymus T cell generation mechanism in a biological immune system;
self (Self), the invention refers to the normal behavior in intrusion detection;
non-self (Nonself), the invention refers to intrusion behavior in intrusion detection;
grid partition (Grid part): meshing is a method of preprocessing data, dividing a model to be processed into a plurality of small units to perform desired operations, respectively, thereby improving execution efficiency.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a real-value negative selection algorithm based on grid division, and the grid division method is applied to the detector generation stage of the negative selection algorithm, so that the detector generation efficiency and the detection rate are effectively improved.
The technical scheme for solving the technical problems is as follows:
an intrusion detection method based on a negative selection algorithm comprises the following steps:
performing grid division on the feature space where the training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data only comprises autologous data;
constructing a detector set with an initial value of a null value, taking a region represented by a null grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set;
generating a detector in each non-empty grid object in turn by using a detector generation algorithm until the generation of the detectors in all the non-empty grid objects is completed;
and performing intrusion detection on the data to be detected by using the detectors in the detector set.
The beneficial effects of the invention are as follows: the invention provides a negative selection algorithm based on grid division, which is applied to intrusion detection. According to the method, the characteristic space where the data set is located is subjected to grid division to form a plurality of equal-sized empty grid objects and non-empty grid objects, the empty grid object set is directly used as a detector, and for the non-empty grid object set, candidate detectors are generated in each grid object in sequence by using a traditional algorithm, so that the generation efficiency of the detectors is improved. Compared with the traditional intrusion detection method based on the negative selection algorithm, the method has the following advantages:
(1) The invention applies the grid division method to the detector generation stage of the negative selection algorithm, thereby improving the detector generation efficiency, effectively solving the problem that the time cost of the detector training in the traditional negative selection algorithm increases exponentially with the number of the self bodies, and effectively improving the intrusion detection efficiency.
(2) The traditional intrusion detection method has the advantages that false alarm and false alarm frequently occur, the false alarm rate in the intrusion detection process is effectively reduced, and the detection rate in the detection process is improved.
Further, the step of performing grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set includes:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-sized grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
wherein, [ l ] i ,h i ) And f is the number of segments divided in each dimension of the feature space for the interval range of the training set data in the ith dimension.
Further, in the grid division, firstly, each dimension of the feature space is grid-divided according to the division number f which is initially set, and the non-empty grid object is marked as N G The number of non-empty mesh objects is noted as num (N G ) If num (N) G ) And if the division termination condition S is met, ending the division, otherwise, enabling f=f+1, and re-meshing the feature space until the division termination condition is met.
Further, the generating the detector in each non-empty grid object by using the detector generating algorithm until the detectors in all non-empty grid objects are generated, including:
s401, defining a detector repetition number counter m and a mature detector number counter t;
s402, selecting one grid object in a non-empty grid set, randomly generating a candidate detector a in the range represented by the grid object, and if the detector a is in the range represented by a mature detector, making m=m+1;
s403, calculating the distance r between the candidate detector a and the nearest self data, if the distance between the candidate detector a and the nearest self data is larger than r, increasing t to make t=t+1, otherwise eliminating a, and jumping to the step S402;
s404, when the expected coverage rate of the generation detector in the non-empty grid object is larger than or equal to the expected coverage rate p, the generation detector in the grid object is completed, whether the generation detector reaches the suspension condition is judged by the following formula,
wherein p is the desired coverage, Q and Z a Is a conditional control parameter in the above equation, Q is used to determine when to empty the calculator, q=max (5/p, 5/(1-p)), Z a Is a very small constant for judging whether to continue to generate the detector, and Z is taken as the invention a =0.001;
If the converage (p, t, m) = -1, the counter is cleared, let t=m=0, and the process goes to step S402, if the converage (p, t, m) = -0, the process goes directly to step S402, if the converage (p, t, m) = 1, the algorithm reaches the desired coverage rate, and the algorithm is terminated.
On the other hand, the invention also provides an intrusion detection device based on a negative selection algorithm, which comprises
The grid division module is used for carrying out grid division on the feature space where the training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data only comprises autologous data;
the detector construction module is used for constructing a detector set with an initial value of a null value, taking a region represented by the null grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set; the method comprises the steps of generating a detector in each non-empty grid object in sequence by using a detector generation algorithm until all the detectors in the non-empty grid objects are generated;
and the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set.
Drawings
FIG. 1 is a schematic diagram of an intrusion detection device based on a negative selection algorithm according to an embodiment of the present invention;
FIG. 2 and FIG. 3 are graphs of data before and after meshing on a two-dimensional training set; wherein, the white grid in fig. 3 is an empty grid object, the dark gray grid is a non-empty grid object, and the white circles in fig. 2 and 3 represent the autologous data;
fig. 4 is a flowchart of an intrusion detection method according to an embodiment of the present invention.
Detailed Description
The principles and features of the present invention are described below with reference to the drawings, the examples are illustrated for the purpose of illustrating the invention and are not to be construed as limiting the scope of the invention.
The invention aims to solve the intrusion detection problem by combining a negative selection algorithm with meshing. Conventional negative selection algorithms randomly generate candidate detectors to match all of the autologous data, then remove invalid detectors (identifying autologous and duplicate detectors), resulting in a large amount of redundancy of the generated detectors and difficulty in covering the full non-autologous area, and the process has a low detector generation efficiency.
First, an embodiment of the present invention provides an intrusion detection device based on a negative selection algorithm, as shown in fig. 1, including:
the grid division module is used for carrying out grid division on the feature space where the training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data only comprises autologous data;
the detector construction module is used for constructing a detector set with an initial value of a null value, taking a region represented by the null grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set; the method comprises the steps of generating a detector in each non-empty grid object in sequence by using a detector generation algorithm until all the detectors in the non-empty grid objects are generated;
and the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set.
On the basis, aiming at the problem of low generation efficiency of the detector, the embodiment of the invention provides a negative selection algorithm based on grid division. The algorithm firstly carries out grid division on the characteristic space represented by the data set to form a plurality of equal-size grid objects. The purpose of the algorithm is to find out the non-self area covered by the detector as much as possible, and the empty grid object can be directly used as a candidate detector because the empty grid object does not contain self data and is equivalent to the non-self area; for non-empty grid objects, candidate detectors are generated in each non-empty grid object in sequence by using a traditional algorithm to reduce the time cost of distance calculation, the generation efficiency of the detectors is improved, and the algorithm takes the coverage rate of the expected non-empty grid object area as a termination condition. Experimental results show that the efficiency and performance of the algorithm are obviously superior to those of the classical negative selection algorithm.
Specifically, the negative selection algorithm based on meshing is mainly divided into three parts: the first part, the grid division stage, the characteristic space where the self data is located is divided by a grid division algorithm to obtain a non-empty grid object set; a second section, a blank grid generation detector stage, for adding the region represented by the blank grid object as a non-self region into the detector set; and a third section, a non-empty grid generating detector stage, wherein a detector generating algorithm is utilized to generate detectors in each non-empty grid object in turn until all the detectors in the non-empty grid objects are generated.
Further, the following method is adopted in the embodiment to explain the technical scheme in detail:
step 1, experimental data set and pretreatment
The KDCup 99 data set is extracted network flow intrusion detection data, is reference data in the field of network intrusion detection, and lays a foundation for research of network intrusion detection. The data set has 41 fixed characteristic attributes and 1 class identifier, the identifier is used for indicating that the connection record is normal or a specific attack type, and the specific classification identifier comprises five classes Normal, DOS, R2L, U2R, probing. Because the dataset is large and there are many duplicates of data, four sub-datasets of the dataset were selected for the experiments herein (kdtrain+, KDDTest, KDDTest +, kdtest-21, respectively). The four sub-data sets are subjected to linear discriminant analysis (Linear Discriminant Analysis, LDA) degradation and normalization before the experiment, and the basic information of the NSL-KDD data set is as follows:
| data set | Total amount of data | Normal data | Attack data | Feature dimension |
| KDDTrain+ | 125973 | 67343 | 58630 | 41 |
| KDDTest | 49403 | 15236 | 34167 | 41 |
| KDDTest+ | 22544 | 9711 | 12833 | 41 |
| KDDTest-21 | 11850 | 2152 | 9698 | 41 |
Step 2, initializing the sample and setting the parameter initialization
In the invention, antigen represents various types of network flow data, including attack data and normal data, antibody represents a detector, the experiment takes the normal data of a KDTRAin+ data set as a training set, KDDTest, KDDTest +, KDTest-21 as a test set, the radius r of the self is set as the range represented by each training data in a feature space, n is the number of training data sets, and the termination condition S:
where c controls parameters for controlling the grid density in each grid object, in the present invention, c=25 for the kdcup dataset. The experimental parameters were set as follows:
| data set | Desired coverage rate | Radius of autologous r | Division termination condition S |
| KDDTrain+ | 99% | 0.015 | n/25 |
Step 3, grid division
Aiming at the intrusion detection problem, a grid division algorithm is used to divide each dimension of the feature space where the sample data are located into the same number of segments to form a plurality of equal-sized grid objects, and empty grid objects and non-empty grid objects are statistically separated. The mesh length L is therefore:
wherein, [ l ] i ,h i ) For the range of the sample data of the intrusion detection data set in the interval of the ith dimension, f is the number of segments divided in each dimension of the feature space.
For the two-dimensional data set a, the data distribution before and after the division thereof is as shown in fig. 2 and 3.
Step 4, empty grid detector generation
And taking out the empty grid objects aiming at the grid objects divided in the last step, and directly taking the range represented by each empty grid object as a mature detector and adding the mature detector into a final detector set.
Step 5, non-empty mesh generation candidate detector
And (3) taking out one grid object in the non-empty grid object set, randomly generating a candidate detector a in the range represented by the grid object, and if a is in the range represented by the mature detector, incrementing a detector repetition number counter m, so that m=m+1.
Step 6, candidate detector effectiveness determination
Calculating the distance r between the candidate detector a and the nearest normal data antigen, if a is not in the normal data radius range, incrementing the mature detector number counter t, enabling t=t+1, otherwise rejecting a, and returning to step 5.
Step 7, judging termination condition
When the expected coverage rate of the generated detector in each non-empty grid object is greater than or equal to the expected coverage rate p, the generated detector in the grid object is completed, and the step is skipped to step 5. Judging a termination condition:
wherein p is the desired coverage, Q and Z a Is a conditional control parameter in the above equation, Q is used to determine when to empty the calculator, q=max (5/p, 5/(1-p)); z is Z a Is a very small constant for judging whether to continue to generate the detector, and Z is taken as the invention a =0.001;
If the converage (p, t, m) = -1, the counter is cleared, let t=m=0, and the process goes to step S402, if the converage (p, t, m) = -0, the process goes directly to step S402, if the converage (p, t, m) = 1, the algorithm reaches the desired coverage rate, and the algorithm is terminated.
In the generation process of the detector, only the self data in the corresponding grid object is compared, so that the cost of distance calculation is reduced, and the generation time of the detector can be effectively reduced.
The flow of the negative selection algorithm based on meshing is shown in fig. 4:
step 8, experiment and analysis
The main purpose of the experiment of the invention is to verify whether the negative selection algorithm has the defects described in the first section when the intrusion detection is applied and whether the negative selection algorithm based on grid division can pointedly solve the defects. In order to make the experimental results more accurate, the average of the 20 experimental results was taken, and the running time and the detection rate on the three test sets are shown in the following table:
as can be seen from the experimental results, the GP-RNSA according to the present invention has significantly improved run time compared with the V-Detector and SDS-RNSA over the three test sets. Meanwhile, the improved negative selection algorithm provided by the invention is similar to SDS-RNSA in detection rate, but is obviously higher than V-Detector. This is because after meshing, the training set data is mostly concentrated in a few mesh objects, when generating the detector, the algorithm directly takes the empty mesh object as the detector, and then the detector is generated in the non-empty mesh object by using the traditional algorithm, and because the detector generated in the same mesh object only needs to be compared with the data in the same mesh object, the algorithm can generate a large number of detectors in a short time and has better effect. Experimental results show that the improved clone selection algorithm provided by the invention is used as a new method for solving intrusion detection, and has high efficiency and detection rate.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.
Claims (3)
1. An intrusion detection method based on a negative selection algorithm is characterized by comprising the following steps:
performing grid division on the feature space where the training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data only comprises autologous data;
constructing a detector set with an initial value of a null value, taking a region represented by a null grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set;
generating a detector in each non-empty grid object in turn by using a detector generation algorithm until the generation of the detectors in all the non-empty grid objects is completed;
intrusion detection is carried out on data to be detected by using detectors in the detector set;
the step of performing grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set comprises the following steps:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-sized grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
wherein, [ l ] i ,h i ) F is the number of segments divided in each dimension of the feature space for the interval range of the training set data in the ith dimension;
the method for generating the detector in each non-empty grid object by using the detector generation algorithm sequentially until the detectors in all the non-empty grid objects are generated comprises the following steps:
s401, defining a detector repetition number counter m and a mature detector number counter t;
s402, selecting one grid object in a non-empty grid set, randomly generating a candidate detector a in the range represented by the grid object, and increasing m if the detector a is in the range represented by a mature detector;
s403, calculating the distance r between the candidate detector a and the nearest self data, if the distance between the candidate detector a and the nearest self data is larger than r, increasing t to make t=t+1, otherwise eliminating a, and jumping to the step S402;
s404, when the expected coverage rate of the generation detector in the non-empty grid object is larger than or equal to the expected coverage rate p, the generation detector in the grid object is completed, whether the generation detector reaches the suspension condition is judged by the following formula,
wherein p is the desired coverage, Q and Z a Is a control parameter; q is used to determine when to empty the calculator, q=max (5/p, 5/(1-p)); z is Z a Constant, used to determine whether to continue to generate the detector;
if the converage (p, t, m) = -1, the counter is cleared, let t=m=0, and the process goes to step S402, if the converage (p, t, m) = -0, the process goes directly to step S402, if the converage (p, t, m) = 1, the algorithm reaches the desired coverage rate, and the algorithm is terminated.
2. The method according to claim 1, wherein in the mesh division, each dimension of the feature space is first mesh-divided according to an initially set division number f, and a non-empty mesh object is denoted as N G The number of non-empty mesh objects is noted as num (N G ) If num (N) G ) If the division termination condition S is met, finishing the division, otherwise, enabling f=f+1, and re-meshing the feature space until the division termination condition is met; wherein the method comprises the steps of
Where n is the number of training set data and c control parameters for controlling the grid density in each grid object.
3. An intrusion detection device based on a negative selection algorithm, comprising
The grid division module is used for carrying out grid division on the feature space where the training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data only comprises autologous data;
the detector construction module is used for constructing a detector set with an initial value of a null value, taking a region represented by the null grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set; the method comprises the steps of generating a detector in each non-empty grid object in sequence by using a detector generation algorithm until all the detectors in the non-empty grid objects are generated;
the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set;
the step of performing grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set comprises the following steps:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-sized grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
wherein, [ l ] i ,h i ) F is the number of segments divided in each dimension of the feature space for the interval range of the training set data in the ith dimension;
the method for generating the detector in each non-empty grid object by using the detector generation algorithm sequentially until the detectors in all the non-empty grid objects are generated comprises the following steps:
s401, defining a detector repetition number counter m and a mature detector number counter t;
s402, selecting one grid object in a non-empty grid set, randomly generating a candidate detector a in the range represented by the grid object, and increasing m if the detector a is in the range represented by a mature detector;
s403, calculating the distance r between the candidate detector a and the nearest self data, if the distance between the candidate detector a and the nearest self data is larger than r, increasing t to make t=t+1, otherwise eliminating a, and jumping to the step S402;
s404, when the expected coverage rate of the generation detector in the non-empty grid object is larger than or equal to the expected coverage rate p, the generation detector in the grid object is completed, whether the generation detector reaches the suspension condition is judged by the following formula,
wherein p is the desired coverage, Q and Z a Is a control parameter; q is used to determine when to empty the calculator, q=max (5/p, 5/(1-p)); z is Z a Constant, used to determine whether to continue to generate the detector;
if the converage (p, t, m) = -1, the counter is cleared, let t=m=0, and the process goes to step S402, if the converage (p, t, m) = -0, the process goes directly to step S402, if the converage (p, t, m) = 1, the algorithm reaches the desired coverage rate, and the algorithm is terminated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010733504.XA CN112052450B (en) | 2020-07-27 | 2020-07-27 | Intrusion detection method and device based on negative selection algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010733504.XA CN112052450B (en) | 2020-07-27 | 2020-07-27 | Intrusion detection method and device based on negative selection algorithm |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112052450A CN112052450A (en) | 2020-12-08 |
| CN112052450B true CN112052450B (en) | 2024-02-02 |
Family
ID=73601949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010733504.XA Active CN112052450B (en) | 2020-07-27 | 2020-07-27 | Intrusion detection method and device based on negative selection algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112052450B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
| CN101866402A (en) * | 2010-05-31 | 2010-10-20 | 西安电子科技大学 | Negation-selecting and intrusion-detecting method based on immune multi-object constraint |
| CN104504332A (en) * | 2014-12-29 | 2015-04-08 | 南京大学 | Negative selection intrusion detection method based on secondary mobile node strategy |
| CN111107082A (en) * | 2019-12-18 | 2020-05-05 | 哈尔滨理工大学 | Immune intrusion detection method based on deep belief network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10609057B2 (en) * | 2016-06-27 | 2020-03-31 | Research Foundation Of The City University Of New York | Digital immune system for intrusion detection on data processing systems and networks |
-
2020
- 2020-07-27 CN CN202010733504.XA patent/CN112052450B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
| CN101866402A (en) * | 2010-05-31 | 2010-10-20 | 西安电子科技大学 | Negation-selecting and intrusion-detecting method based on immune multi-object constraint |
| CN104504332A (en) * | 2014-12-29 | 2015-04-08 | 南京大学 | Negative selection intrusion detection method based on secondary mobile node strategy |
| CN111107082A (en) * | 2019-12-18 | 2020-05-05 | 哈尔滨理工大学 | Immune intrusion detection method based on deep belief network |
Non-Patent Citations (9)
| Title |
|---|
| A Algorithm of Detectors Generating Based on Negative Selection Algorithm;Wu Renjie;Frontier Computing;133-139 * |
| Negative Selection Algorithm Based on Antigen Density Clustering;Chao Yang;IEEE Access;第8卷;44967 - 44975 * |
| Negative selection algorithm based on grid file of the feature space.Knowledge-Based Systems.2014,26-35. * |
| Network Intrusion Detection System Using Artificial Immune System;SAIFUL I S;International Conference on Computer and Communication Systems;全文 * |
| Nikolova E,Jecheva V.Some Similarity Coefficients and Application of Data Mining Techniques tothe Anomaly-based IDS.Telecommunication Systems.2012,127-135. * |
| Technique for Intrusion Detection Based on Dual Negative Splitting SelectionAlgorithm;Liu H H;Fire Control & Command Control;全文 * |
| 一种基于自体集层次聚类的否定选择算法;陈文;李涛;刘晓洁;张冰;;中国科学:信息科学(05);全文 * |
| 一种改进的否定选择算法在入侵检测中的应用;伍海波;;计算机应用与软件(02);全文 * |
| 基于矩阵形式的否定选择算法研究;张雄美;易昭湘;宋建社;李俊山;;电子与信息学报(11);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112052450A (en) | 2020-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110084610B (en) | Network transaction fraud detection system based on twin neural network | |
| CN111753985B (en) | Image deep learning model testing method and device based on neuron coverage rate | |
| Arbin et al. | Comparative analysis between k-means and k-medoids for statistical clustering | |
| CN110377605B (en) | Sensitive attribute identification and classification method for structured data | |
| Kuismin et al. | Estimation of covariance and precision matrix, network structure, and a view toward systems biology | |
| CN111062425B (en) | Unbalanced data set processing method based on C-K-SMOTE algorithm | |
| Angelin et al. | Outlier Detection using Clustering Techniques–K-means and K-median | |
| Tang et al. | Research on the mental health of college students based on fuzzy clustering algorithm | |
| Xiao et al. | Addressing Overfitting Problem in Deep Learning‐Based Solutions for Next Generation Data‐Driven Networks | |
| Li et al. | Intrusion detection method based on imbalanced learning classification | |
| CN112052450B (en) | Intrusion detection method and device based on negative selection algorithm | |
| CN115208651B (en) | Flow clustering anomaly detection method and system based on reverse habituation mechanism | |
| Li et al. | Uncertainty measurement for a gene space based on class-consistent technology: an application in gene selection | |
| CN112738724B (en) | Method, device, equipment and medium for accurately identifying regional target crowd | |
| Geng et al. | A new clustering algorithm using message passing and its applications in analyzing microarray data | |
| CN111984762B (en) | Text classification method sensitive to attack resistance | |
| CN114298245A (en) | Anomaly detection method and device, storage medium and computer equipment | |
| Tang et al. | Graph neural network-based node classification with hard sample strategy | |
| Feng et al. | A novel parallel object-tracking behavior algorithm based on dynamics for data clustering | |
| Wu et al. | Research on top-k association rules mining algorithm based on clustering | |
| Oo et al. | Comparative study of fuzzy PSO (FPSO) clustering algorithm and fuzzy c-means (FCM) clustering algorithm | |
| Wang et al. | Cosine kernel based density peaks clustering algorithm | |
| Cai et al. | Application and research progress of machine learning in Bioinformatics | |
| Pei | Hybrid immune clonal particle swarm optimization multi-objective algorithm for constrained optimization problems | |
| Cao et al. | Detection and fine-grained classification of malicious code using convolutional neural networks and swarm intelligence algorithms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |