CN116668151A - Network intrusion detection method and device based on improved CSA optimization SVM - Google Patents

Abstract

The invention relates to the technical field of network security, and discloses a network intrusion detection method and device based on an improved CSA (customer service architecture) optimized SVM (support vector machine), wherein an improved self-adaptive synthetic sampling algorithm is used for carrying out oversampling on a small sample so as to balance data; introducing a weight value in Latin hypercube, dynamic perception probability, layvern flight and entropy weight method into CSA; and optimizing SVM parameters by using ICSA to obtain an ICSA_SVM model, namely obtaining reasonable core parameters and penalty factors to finish classification recognition. The invention has the advantages of better convergence and optimizing performance, improving the classification accuracy of the intrusion detection data set and reducing the false alarm rate.

Description

Network intrusion detection method and device based on improved CSA optimization SVM

Technical Field

The invention belongs to the technical field of network security, and particularly relates to a network intrusion detection method and device based on an improved crow searching method and an optimized support vector machine.

Background

With the advent of the internet age, convenience is brought to people's life, and meanwhile, malicious attacks in the network pose a serious threat to information security of people. Network intrusion detection serves as a security defense mechanism to improve the security of network space from various vulnerabilities and threats by detecting and responding to various attacks in the network. In the face of more and more complex network environments, the traditional intrusion detection technology cannot effectively prevent massive network attack behaviors, so that detection results with low accuracy and high false alarm rate are obtained. The research of the intrusion detection technology for ensuring the safety of the network environment, improving the classification accuracy of the intrusion detection technology and reducing the false alarm rate is still a current research hot spot.

At present, the research on a crow search algorithm (Crow Search Algorithm, CSA) is less, and although the algorithm has the advantages of few setting parameters, strong robustness, simplicity, easiness in use and the like, the algorithm also has the common defects of a group intelligent optimization algorithm, such as low optimizing precision, weak local extremum escape capability, low convergence speed and the like, and researchers at home and abroad widely try to improve the CSA. The method comprises the following steps of adopting a multi-mode flying crow searching algorithm [ J ] in computer application research [ Feng Aiwu, wang Yong ] and adopting a multi-mode flying crow searching algorithm [ J ] in computer application research [ 2022,39 (06): 1710-1717] to propose dividing a crow group into two different groups of strong foraging capacity groups and weak foraging capacity groups, wherein different groups respectively adopt different flying strategies to enhance the searching capacity of crow individuals, so that the global searching capacity of CSA is improved, but the problem of random initial group still exists. Literature [ Li Yanhua, liu Sheng, zhao Jihui ] an Rayleigh search algorithm [ J ] based on Lewy flight, intelligent computer and application, 2018,8 (03): 21-25+32] propose to improve CSA (Levy Crow Search Algorithm, LCSA) by using Lewy flight, change random search into Lewy flight in its position updating stage, reduce the blindness of CSA search, and use LCSA on the design optimization problem of 3 complicated projects, test result shows that the algorithm has advantages in solving the complicated constraint optimization problem, but it does not solve the problem that CSA is easy to fall into local optimum. Document [ Khalilpourazari S, pasandideh S H R.fine-cosine crow search algorithm: theory and applications [ J ]. Neural Computing and Applications,2019,32 (12): 1-18] proposes an optimization and improvement algorithm (fine-Cosine Crow Search Algorithm, SCCSA) in which CSA is mixed with a Sine and cosine algorithm, wherein the exploration and development capabilities of the SCCSA are significantly improved, but the convergence rate is not improved.

After the concept of intrusion detection is proposed, a large number of researchers lay in the research of an intrusion detection method, the content of intrusion detection is continuously supplemented, and the further development of network security technology is promoted. The literature [ Rao Xian, dong Chunxi, yang Shaoquan ] uses a support vector machine to realize computer intrusion detection [ J ]. Western An university of electronic technology, journal, 2003, (03): 353-356+373] proposes using a support vector machine (Support vector machine, SVM) for intrusion detection to detect abnormal intrusion, and obtains ideal results.

Intrusion detection datasets are typically unbalanced data, and classification on a minority class is quite inefficient. The literature [ Tang Xibo, zhang Limin, zhong Zhaogen ] is based on ADASYN and intrusion traffic detection recognition [ J ] of improved residual network, system engineering and electronics, 2022,44 (12): 3850-2022,44 ] proposes to oversample minority class samples of NSL_KDD by using an adaptive synthetic sampling (Adaptive Synthetic, ADASYN) algorithm, expand the minority class number to solve the problem of class imbalance of intrusion detection dataset, improve the residual network model to obtain good classification effect, but the ADASYN algorithm does not consider the problem of characteristic information among minority class samples when generating minority samples, so that the generated training set has defects. The literature [ Li Y, xu W S, li W, et al research on hybrid intrusion detection method based on the ADASYN and ID algorithms [ J ]. Mathematical biosciences and engineering,2022,19 (2): 2030-2042 ] proposes that an ADASYN algorithm is used for oversampling a training set of an intrusion detection data set, and then an ID 3-based decision tree model is used for classification, so that higher classification accuracy and lower false alarm rate are obtained, but the ADASYN algorithm does not consider the problem of characteristic information among a few types of samples when generating a few samples.

Disclosure of Invention

Aiming at the problems in the prior art, the invention provides a network intrusion detection method and device based on an improved CSA optimization SVM, which have better convergence and optimizing performance, improve the classification accuracy of intrusion detection data sets and reduce false alarm rate.

In order to achieve the above purpose, the present invention provides the following technical solutions:

in a first aspect, the present invention provides a network intrusion detection method based on an improved CSA optimized SVM, and an icsa_svm model is established for intrusion detection data set classification, including the following steps:

preprocessing an intrusion detection data set to obtain a preprocessed training set and a preprocessed testing set;

performing data dimension reduction processing on the preprocessed training set and the preprocessed testing set;

introducing a Raa Ding Chao cube, dynamic perception probability, laiweier flight and a weight value in an entropy weight method into the crow searching algorithm to obtain an improved crow searching algorithm, and optimizing parameters of a crow position updating formula based on the improved crow searching algorithm;

training an SVM model by adopting a training set after dimension reduction treatment and parameters after the crow position optimization based on an improved crow search algorithm, optimizing parameters in the SVM model, and constructing an ICSA_SVM model;

the ICSA_SVM model is used for a training set after data dimension reduction processing, and the optimal parameter combination of the obtained SVM model is used for generating a trained ICSA_SVM intrusion detection model;

and classifying the test set subjected to the data dimension reduction processing by using the trained ICSA_SVM intrusion detection model to obtain a classification result.

With reference to the first aspect, further comprising performing data balancing processing on the preprocessed training set and performing dimension reduction processing on the training set data.

With reference to the first aspect, further, performing data balancing processing on the preprocessed training set includes the following steps:

step A1: carrying out random undersampling treatment on the preprocessed training set to obtain the number of most types of samples after random undersampling of the training set;

step A2: and performing KADASYN oversampling treatment on the training set after the random undersampling treatment to obtain the total number of the minority samples.

With reference to the first aspect, further, the improved crow search algorithm includes the steps of:

step B1: generating a crow initial population by using Latin hypercube;

step B2: changing the perception probability into a dynamic value;

step B3: calculating the weight value of the crow individuals by using an entropy weight method;

step B4: using Lewy flight to replace random search and giving different weight values to the crow individual components;

step B5: and obtaining a new position updating formula of the crow by self-adaptive dynamic sensing probability, a weight value in an entropy weight method and the Lev flight, namely the ICSA model.

With reference to the first aspect, further, in the D-dimensional search space, the specific steps of generating the crow initial population by using Latin hypercube are as follows:

step B11: taking the crow population number N as a sampling scale;

step B12: dividing the search space of the position variable of each crow into N equal intervals;

step B13: generating an N x D matrix, each column of the matrix being a random arrangement of [1,2, …, N ];

step B14: each row of the matrix corresponds to only one small hypercube, and then a sample is generated within the small hypercube, i.e., corresponding to the crow individuals in the crow population.

With reference to the first aspect, further, the ICSA model in step B5 is:

wherein ,is the position of the U-th crow when the t iteration is carried out, t represents the current iteration number, and t=1, 2 and … t _max ；t _max Is the maximum number of iterations; levy (κ) represents the lewy flight; r is (r) _U ,r _δ ∈[0,1]Is a uniformly distributed random value; />Is the flight length of the U-th crow when iterating for the t time; h _U Is the index weight of the U-th crow; />Is the memory position of the delta-th crow when iterating for the t time; />Is the perception probability of delta-th crow when iterating for the t time; a is a scaling factor, a=0.01; kappa is a constant, kappa = 1.5; v and u both obey normal distribution, v obeys standard normal distribution, u obeys mean value 0, and variance sigma ² Is a normal distribution of (c).

With reference to the first aspect, further, the specific steps of training the SVM model are:

may be described as { x } for E input samples _q ,y _q Q represents q input samples, q=1, 2, …, E, y _q ∈{-1,1}，x _q Representing input features, y _q Representing the output class, the purpose of the SVM is to find an optimal classification hyperplane, separate the different classes on the two sides furthest from the optimal hyperplane, the formula of the optimal hyperplane is expressed as w·x+b=0, where w is the weight vector and b is the bias; the hyperplane constraint formula for the SVM is as follows:

wherein ,φ(x_q ) Representing the mapping;is a classification interval, which takes the minimum value to be the optimal hyperplane;

when the data in the SVM is nonlinear, a relaxation factor xi and a penalty factor C are added in the SVM to punish samples with wrong classification, and then the optimization problem is converted into the following formula:

the above formula is converted into Lagrange multiplier method expression, and the formula is as follows:

wherein , and β_q 0 is equal to or greater than x _q Each variable in the above formula is derived to zero, and the derived formula is converted into a solution convex quadratic programming problem by a dual theory, wherein the formula is as follows:

when the nonlinearity of the SVM maps the low-dimensional solution to the high-dimensional space, a kernel function is introduced, and the formula is as follows:

the classification expression of the SVM can be obtained as follows:

wherein sign is a classification symbol,representation->Input samples, +_> Representing the input features and d representing the kernel parameters in the SVM model.

With reference to the first aspect, further, the specific steps of constructing the icsa_svm model are:

step C1: setting ICSA initialization parameters, including parameter setting and population initialization, wherein the parameter setting comprises crow population number N and maximum iteration number t _max And a flight length fl.

Initializing a population: initializing a crow initial population by using Latin hypercube, wherein the parameters to be optimized are a kernel parameter d and a penalty factor C in an SVM model, so that the model is a 2-dimensional search space, and (d, C) is the crow initial position, and the formula is as follows:

wherein ,the representation indicates +.>Position of crow only, ++>Indicate->Only the crow is used for making the crow,

step C2: calculating the fitness value of the initial crow population to obtain the memory position of the crow, and training an SVM model by using the memory position of the crow, wherein the formulas of the memory position and the accuracy rate of the crow are as follows;

wherein ,represents the memory position of the phi-th crow after t iterations, phi represents the phi-th crow, phi = 1,2, … …, N, and +.>accuracy represents the accuracy of intrusion detection of the present invention.

Step C3: generating a new position of the crow according to the ICSA model; determining whether the new position is feasible, if the new position is positioned in the search space, the crow flies to the new position, otherwise, the crow stays at the original position;

and calculating the fitness value of the new position of the crow again, if the fitness value of the new position of the crow is better than the optimal memory position of the new position of the crow, updating the memory position of the crow, otherwise, not updating, wherein the memory position has the following formula:

updating crow according to fitness valueThe updated formula is as follows:

wherein f (·) is the fitness function;

step C4: if it reaches the set t _max Outputting the current optimal memory position of the crow as a global optimal memory position, wherein the obtained global optimal memory position is the optimal parameter combination (d, C) of the SVM model, otherwise, turning to the execution step C3.

In a second aspect, the present invention provides an intrusion detection device, including:

the preprocessing module is used for carrying out numerical processing on the intrusion detection data set to obtain corresponding characteristics of the current dimension after the sample data are mapped, and further obtaining a preprocessed training set and a preprocessed testing set;

the balance processing module is used for carrying out random undersampling on the preprocessed training set and oversampling processing of an improved self-adaptive synthesis algorithm to obtain a relatively balanced training data set;

the dimension reduction processing module is used for carrying out data dimension reduction processing on the preprocessed test set and carrying out data dimension reduction processing on the training set after the balance processing;

the training module is used for inputting the training set after the dimension reduction treatment into a pre-member and giving an improved support vector machine model optimized by the crow search algorithm to train so as to obtain an optimized and trained support vector machine model;

and the test module is used for inputting the test set subjected to the dimension reduction treatment into the optimized and trained support vector machine model for testing, and obtaining a classification detection result.

In a third aspect, the present invention provides an electronic device comprising a processor and a storage medium; the storage medium is used for storing instructions; the processor is operative to perform steps according to the intrusion detection method described above, in accordance with the stored instructions.

In a fourth aspect, the present invention proposes a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the intrusion detection method described above.

Compared with the prior art, the invention provides a network intrusion detection method and device based on an improved crow search method and an optimized support vector machine, which have the following beneficial effects:

(1) The intrusion detection method and device of the invention optimizes a network model of SVM parameters for an improved crow search algorithm (Improved Crow Search Algorithm, ICSA) to finish classification, and uses an improved self-adaptive synthetic sampling algorithm (K-means Adaptive Synthetic, KADASYN) to perform oversampling treatment on small samples to balance data; introducing a weight value in Latin hypercube, dynamic perception probability, layvern flight and entropy weight method into CSA; and optimizing SVM parameters by using ICSA to obtain an ICSA_SVM model, namely obtaining reasonable core parameters and penalty factors to finish classification recognition. The ICSA has better convergence and optimizing performance, and the ICSA_SVM model improves the classification accuracy of the intrusion detection data set and reduces the false alarm rate.

(2) The intrusion detection method and the intrusion detection device improve the classification accuracy of the intrusion detection data set and reduce the false alarm rate by optimizing the Support Vector Machine (SVM), and the intrusion detection device is faster (about 30% faster) and greatly reduces the calculation complexity and the training time although the intrusion detection device is lower than the intrusion detection device by optimizing the accuracy of the correlation vector machine (RVM) by one point (about one and two percent).

Drawings

FIG. 1 is a flow chart of an improved crow search algorithm ICSA of the present invention;

FIG. 2 is a flowchart of an ICSA_SVM intrusion detection model according to embodiment 2 of the present invention;

fig. 3 is a flowchart of kadasyn_icsa_svm intrusion detection model according to embodiment 1 of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Example 1

As shown in fig. 1 and 3, the intrusion detection method of the present invention includes the steps of:

step 1: performing data preprocessing on the intrusion detection data set;

the invention takes a public data set NSL_KDD as experimental data, wherein the NSL_KDD data set shares 42-dimensional characteristics, the TCP basic characteristics comprise 1-9-dimensional data characteristics, the flow characteristics comprise 10-22-dimensional 13-dimensional data characteristics, the flow characteristics based on time comprise 23-31-dimensional 9-dimensional data characteristics, the flow characteristics based on a host comprise 31-41-dimensional 10-dimensional data characteristics, and the 42 th is a classification label. The data set is divided into five types of Normal (Normal traffic), dos (denial of service), probe (Probe attack), R2L (remote intrusion) and U2R (acquisition rights), and the data distribution of each type is shown in table 1.

Performing numerical processing on the NSL_KDD data set: converting 4-dimensional character type data characteristics in the NSL_KDD data set into integers, namely converting different characteristics of protocol_ type, service, flag and classification labels, namely converting different characteristics of protocol_type into integers of 0-2, converting different characteristics of service into integers of 0-69, converting different characteristics of flag into integers of 0-10, and converting different characteristics of classification labels into 0-4; mapping the obtained 41-dimensional data feature to the range of [0,1], and the formula is as follows:

wherein ,x_s,max Is the maximum value; x is x _s,min A minimum value; x is x _s ' represents the feature corresponding to the current dimension after mapping the sample data; x is x _s The representation is the current dimensional characteristics of the sample data.

TABLE 1

Step 2: carrying out data balance processing on the preprocessed training set;

the data is subjected to oversampling treatment of Random Undersampling (RUS) and improved self-adaptive synthesis algorithm (K-means Adaptive Synthetic, KADASYN) after mapping the training set, so that the number of samples of most types (such as Normal and Dos) is reduced and the number of samples of small samples (such as R2L and U2R) is increased at the same time, and the purpose of balancing the data is achieved.

Step 2.1: the mapped training set is subjected to random undersampling treatment, and the specific steps of Random Undersampling (RUS) are as follows:

step 2.1.1: the degree of imbalance of the category is calculated as follows:

wherein B represents a class imbalance; s is S _min Is the number of minority class samples in the training set; s is S _max Is the number of majority class samples in the training set.

Step 2.1.2: the random undersampling obtains the number of most types of samples after the intrusion detection data set NSL_KDD training set is undersampled, and the calculation formula of the random undersampling rate is as follows:

wherein B1 represents the class imbalance after random undersampling.

Step 2.2: the steps of KADASYN oversampling treatment (namely, generating new samples by KADASYN algorithm) are as follows:

step 2.2.1: the clustering processing is carried out on a plurality of types of samples after the random undersampling processing by using a K-means clustering algorithm (K-means clustering algorithm), and the main steps are as follows:

step 2.2.1.1: dividing the training set into K clusters f= { F ₁ ,F ₂ ,…,F _K K samples were randomly selected as initial cluster center μ= { μ ₁ ,μ ₂ ,…,μ _K }；

Step 2.2.1.2: the Euclidean distance from a few samples to the initial clustering center is calculated, and the samples are divided into clusters corresponding to the closest clustering center according to the Euclidean distance value, wherein the Euclidean distance is calculated according to the following formula:

wherein h (x, μ) _i ) Representing sample data x to cluster center μ _i X is the sample data; mu (mu) _i Is the i-th cluster center, i=1, 2, …, K represents the total number of clusters divided by the training set; x is x _j The j characteristic dimension of the sample x is j=1, 2, …, Q and Q represent the number of the characteristic dimensions, and the value range is 1-41; mu (mu) _i,j Is mu _i Is the j-th feature dimension of (c).

Step 2.2.1.3: according to the clusters divided by each sample, updating the clustering center, wherein the formula is as follows:

in the formula ,F_i Representing the i-th cluster.

Step 2.2.1.4: repeating the steps 2.2.1.2 and 2.2.1.3 until the position of the cluster center is not changed any more, and obtaining the final cluster division F= { F ₁ ,F ₂ ,…,F _K Sum cluster center μ= { μ ₁ ,μ ₂ ,…,μ _K }。

Step 2.2.2: calculating a class imbalance B1 after random undersampling through a formula (3);

step 2.2.3: if the class unbalance B1 obtained in the step 2.2.2 is smaller than the preset maximum class unbalance, the following processing is performed:

step 2.2.3.1: calculating the number of samples to be synthesized of the samples F according to the class unbalance, wherein the formula is as follows:

G＝(S _max -S _min )×θ (6)

wherein G represents the total amount of synthesized samples; s is S _max Representing the number of most types of samples in the training set; s is S _min Representation ofThe number of minority class samples in the training set; theta epsilon (0, 1)]Is to specify the balance conditions required after the synthetic data is generated.

Step 2.2.3.2: calculating the ratio ρ _o And normalizeThe formula is as follows:

wherein Δ is the number of samples belonging to the majority class among k neighbors of the minority class samples calculated from euclidean distance; ρ _o Ratio of; k represents the number of samples belonging to the majority class in k neighbors; delta _o Representing the number of samples belonging to most classes in the neighborhood of the current sample calculated by Euclidean distance;representing the normalized ratio.

Step 2.2.3.3: the number of samples to be generated for each minority class of samples is calculated as follows:

in the formula ,g_o Representing the number of samples to be generated for each minority class of samples.

Step 2.2.3.4: randomly selecting a minority sample mu from K adjacent samples of the minority samples after K-means clustering _zo And carrying out random interpolation on the connection line between the cluster center and the cluster center to generate a new minority class sample, wherein the formula is as follows:

s _o ＝μ _o +(μ _zo -μ _o )×λ (10)

in the formula ,s_o Representing the generated new minority class samples; mu (mu) _zo Representing randomly selecting a minority class sample from K adjacent samples of the minority class samples after K-means clustering; lambda represents lambda epsilon 0,1]Is a random number of (a) in the memory.

Step 2.2.3.5: step 2.2.3.4 is repeated to generate a few samples until the total number of the few samples is reached, wherein 33253 samples are needed to be synthesized by R2L and 33670 samples are needed to be synthesized by U2R.

The distribution of the new nsl_kdd training set and the original test set processed by the random undersampling and KADASYN hybrid algorithm is shown in table 2.

TABLE 2

Step 3: performing data dimension reduction processing;

the invention uses principal component analysis (Principal Component Analysis, PCA) to perform dimension reduction treatment on the 41-dimensional data characteristics of the training set after KADSYN data balance treatment and the test set after data pretreatment, and the variance contribution rate after 22-dimensional characteristics is almost 0, so that the total variance contribution rate of the selected characteristics reaches 99.7% by selecting the 22-dimensional characteristic components before retaining, and the purposes of reducing characteristic dimension and guaranteeing classification performance are achieved.

Step 4: an improved crow search algorithm;

step 4.1: latin hypercube crow population initialization was used. The basic idea of Latin hypercube is that the equal probability layering random sampling is performed, in a D-dimensional search space, the crow population with the population number of N is generated by using Latin hypercube, and the specific steps of generating an initial population are as follows:

step 4.1.1: the crow population number N is used as a sampling scale;

step 4.1.2: dividing the search space of the position variable of each crow into N equal intervals;

step 4.1.3: generating an N x D matrix, each column of the matrix being a random arrangement of [1,2, …, N ];

step 4.1.4: each row of the matrix corresponds to only one small hypercube, and then a sample is generated within the small hypercube, i.e., corresponding to the crow individuals in the crow population.

Step 4.2: the perception probability is changed into a dynamic value, and the formula is as follows:

wherein, the AP is a perceived probability; AP (Access Point) _max and AP_min The maximum value and the minimum value of the AP are respectively; t is the number of iterations at this time; t is t _max Is the maximum number of iterations. The AP value range set by the invention is [0.01,0.4 ]]。

Step 4.3: and calculating a weight value in the entropy weight method. Assuming that there are n samples and J indexes (n and J are transition amounts, n represents the number of samples after data balancing when the invention includes the step of data balancing, n represents the number of samples before data balancing when the invention does not include the step of data balancing, J represents the feature dimension), then the J index z of the I sample _I,J The calculation steps of the index weight of (a) are as follows:

step 4.3.1: calculating the information entropy e of the I-th index _J The formula is as follows:

wherein ,p_I,J The J index, which is the I sample, is the specific gravity of the index, i=1, 2, 3.

Step 4.3.2: the information utility value is calculated according to the following calculation formula:

Z _J ＝1-e _J (14)

in the formula ,Z_J Representing the information utility value.

Step 4.3.3: the index weight is calculated, and the calculation formula is as follows:

in the formula ,H_J Indicating index z _I,J Is a target weight of (a).

Step 4.4: and (5) a crow position updating strategy. The random search is replaced by the Lewy flight, different weight values are given to the individual components of the crow, and the position updating formula is as follows:

wherein ,is the position of the U-th crow at the t-th iteration, U=1, 2, … …, N, t represents the current iteration number, t=1, 2, … t _max ；t _max Is the maximum number of iterations; levy (κ) represents the lewy flight; r is (r) _U ,r _δ ∈[0,1]Is a uniformly distributed random value; />Is the flight length of the U-th crow when iterating for the t time; h _U Index weight of the U-th crow; />Is the memory position of the delta-th crow when iterating for the t time; />Is the perceived probability of the delta-th crow at the t-th iteration, delta=1, 2, … …, N, and U is not equal to delta (U is the crow as the chaser, delta is the chaserCrow's off); a is a scaling factor, a=0.01; kappa is a constant, kappa = 1.5; v and u both obey normal distribution, v obeys standard normal distribution, u obeys mean value 0, and variance sigma ² The formula of σ is as follows:

wherein Γ (Ω) = (Ω -1) +.! Ω is an intermediate calculated variable, Γ (1+κ) is denoted as a constant.

Step 5: training an SVM model;

may be described as { x } for E input samples _q ,y _q Q represents q input samples, q=1, 2, …, E, y _q ∈{-1,1}，x _q Representing input features, y _q Representing the output class, the purpose of the SVM is to find an optimal classification hyperplane, separating the different classes on the two sides furthest from the optimal hyperplane, the formula of the optimal hyperplane being expressed as w·x+b=0, where w is the weight vector and b is the bias. The hyperplane constraint formula for the SVM is as follows:

wherein ,φ(x_q ) Representing the mapping;is the classification interval, which takes the minimum value to be the optimal hyperplane.

When the data in the SVM is nonlinear, a relaxation factor xi and a penalty factor C are added in the SVM to punish samples with wrong classification, and then the optimization problem is converted into the following formula:

converting the formula (21) into a Lagrangian multiplier representation, wherein the formula is as follows:

wherein , and β_q 0 is equal to or greater than x _q Each variable in the formula (22) is solved to zero by the Lagrangian multiplier, and the solved formula is converted into a solution convex quadratic programming problem by the dual theory, wherein the formula is as follows:

when the nonlinearity of the SVM maps the low-dimensional solution to the high-dimensional space, a kernel function is introduced, and the formula is as follows:

the classification expression of the SVM can be obtained as follows:

wherein sign is a classification symbol,representation->Input samples, +_>Input samples representing respective spatial dimensions; />Representing the input features and d representing the kernel parameters in the SVM model.

The invention selects SVM as classification model, although the classification accuracy is reduced compared with the correlation vector machine (Relevance Vector Machine, RVM), the SVM is an efficient algorithm, can process high-dimensional data, has higher speed when processing large data set, only uses a part of samples to train the model instead of all data, thus reducing the calculation complexity, greatly reducing the training time, and the RVM usually needs more training time due to the operation of solving the inverse of matrix, and has very slow training speed on the large data set.

The selection of the kernel parameter d and the penalty factor C in the SVM is a key factor limiting the classification performance of the SVM, and reasonable selection of the parameters of (d, C) is required.

Step 6: constructing an ICSA_SVM model;

step 6.1: setting ICSA initialization parameters, including parameter setting and population initialization, wherein the parameter setting comprises crow population number N and maximum iteration number t _max And a flight length fl.

The method comprises the steps of initializing a population, initializing a crow initial population by using a Latin hypercube, wherein the parameters to be optimized are a kernel parameter d and a punishment factor C in an SVM model, so that the population is a 2-dimensional search space, (d, C) is a crow initial position, and the formula is as follows:

wherein ,the representation indicates +.>Position of crow only, ++>Indicate->Only the crow is used for making the crow,

step 6.2: calculating the fitness value of the initial crow population to obtain the memory position of the crow, and training an SVM model by using the memory position of the crow;

wherein ,represents the memory position of the phi-th crow after t iterations, phi represents the phi-th crow, phi = 1,2, … …, N, and +.>accuracy represents the accuracy of intrusion detection of the present invention.

Step 6.3: generating a new position of the crow according to formula (16); and determines whether it is possible or not,

and if the new position is positioned in the search space, the crow flies to the new position, otherwise, the crow stays at the original position.

And calculating the fitness value of the new position of the crow again, if the fitness value of the new position of the crow is better than the optimal memory position of the new position of the crow, updating the memory position of the crow, otherwise, not updating, wherein the memory position has the following formula:

updating crow according to fitness valueThe updated formula is as follows:

where f (·) is the fitness function.

Step 6.4: if it reaches the set t _max Outputting the current optimal memory position of the crow as a global optimal memory position, wherein the obtained global optimal memory position is the optimal parameter combination (d, C) of the SVM model, otherwise, turning to the execution step 6.3.

Step 7: training an ICSA_SVM model;

and using the ICSA_SVM model for a training set after preprocessing, KADASYN data balance processing and dimension reduction processing, and searching the optimal parameter combination (d, C) of the SVM model to generate a trained ICSA_SVM intrusion detection model.

Step 8: intrusion detection data set classification.

And (3) classifying the ICSA_SVM model obtained in the step (7) for the test set subjected to the pretreatment and the dimension reduction treatment of intrusion detection to obtain a classification detection result.

To evaluate the performance of the ICSA, the SVM, csa_svm, sccsa_svm, and icsa_svm intrusion detection models that were not balanced were compared. The performance comparisons after different models are used for intrusion detection test sets are shown in table 3. As can be seen from the table, the ICSA_RVM of the invention has the highest accuracy rate 92.43%, the highest accuracy rate 83.36%, the detection rate 84.07%, the F1-score 83.71% and the lowest false alarm rate 2.24%, so that the overall performance of the ICSA_RVM model is superior to that of other models.

TABLE 3 Table 3

For evaluation of the balancing method, icsa_svm, adasyn_icsa_svm and kadasyn_icsa_svm were compared. The performance comparisons after different models are used for intrusion detection test sets are shown in table 4. As can be seen from Table 4, the KADASYN_ICSA_SVM yields the highest accuracy of 94.82%, the accuracy of 90.76%, the detection rate of 93.36%, the F1-score 92.04% and the lowest false alarm rate of 1.48%, so that the ICSA_RVM model has overall performance superior to other models.

TABLE 4 Table 4

Example 2

Example 2 differs from example 1 in that: in the intrusion detection aspect of embodiment 2, step 2 is not included, that is, there is no step of performing data balancing processing on the preprocessed training set, as shown in fig. 2, only the data that is not subjected to balancing processing is shown in the flow chart of the intrusion detection method, and the recognition rate of a few types of samples is low when the data is classified by the classification model (icsa_svm), so that the final classification effect of the model is not good as that of the data balancing processing in embodiment 1, but the classification accuracy is still obviously improved compared with that of the existing intrusion detection method.

Example 3

The invention provides an intrusion detection device, comprising:

the preprocessing module is used for carrying out numerical processing on the intrusion detection data set to obtain corresponding characteristics of the current dimension after the sample data are mapped, and further obtaining a preprocessed training set and a preprocessed testing set;

the balance processing module is used for carrying out random undersampling on the preprocessed training set and oversampling processing of an improved self-adaptive synthesis algorithm to obtain a relatively balanced training data set;

the dimension reduction processing module is used for carrying out data dimension reduction processing on the preprocessed test set and carrying out data dimension reduction processing on the training set after the balance processing;

the training module is used for inputting the training set after the dimension reduction treatment into a pre-member and giving an improved support vector machine model optimized by the crow search algorithm to train so as to obtain an optimized and trained support vector machine model;

and the test module is used for inputting the test set subjected to the dimension reduction treatment into the optimized and trained support vector machine model for testing, and obtaining a classification detection result.

Example 4

The invention provides an electronic device, which comprises a processor and a storage medium; the storage medium is used for storing instructions; the processor is operative to perform steps according to the intrusion detection method described above, in accordance with the stored instructions.

Example 5

The present invention proposes a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the intrusion detection method described above.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (10)

1. The network intrusion detection method based on the improved CSA optimization SVM is characterized by establishing an ICSA_SVM model for intrusion detection data set classification, and comprising the following steps of:

preprocessing an intrusion detection data set to obtain a preprocessed training set and a preprocessed testing set;

performing data dimension reduction processing on the preprocessed training set and the preprocessed testing set;

introducing a Raa Ding Chao cube, dynamic perception probability, laiweier flight and a weight value in an entropy weight method into the crow searching algorithm to obtain an improved crow searching algorithm, and optimizing parameters of a crow position updating formula based on the improved crow searching algorithm;

training an SVM model by adopting a training set after dimension reduction treatment and parameters after the crow position optimization based on an improved crow search algorithm, optimizing parameters in the SVM model, and constructing an ICSA_SVM model;

the ICSA_SVM model is used for a training set after data dimension reduction processing, and the optimal parameter combination of the obtained SVM model is used for generating a trained ICSA_SVM intrusion detection model;

and classifying the test set subjected to the data dimension reduction processing by using the trained ICSA_SVM intrusion detection model to obtain a classification result.

2. The improved CSA-optimized SVM-based network intrusion detection method of claim 1, wherein: the method also comprises the steps of carrying out data balance processing on the preprocessed training set and then carrying out dimension reduction processing on the training set data.

3. The improved CSA-optimized SVM-based network intrusion detection method of claim 2, wherein the data balancing process for the preprocessed training set comprises the steps of:

step A1: carrying out random undersampling treatment on the preprocessed training set to obtain the number of most types of samples after random undersampling of the training set;

step A2: and performing KADASYN oversampling treatment on the training set after the random undersampling treatment to obtain the total number of the minority samples.

4. The improved CSA-optimized SVM-based network intrusion detection method of claim 1, wherein the improved crow search algorithm comprises the steps of:

step B1: generating a crow initial population by using Latin hypercube;

step B2: changing the perception probability into a dynamic value;

step B3: calculating the weight value of the crow individuals by using an entropy weight method;

step B4: using Lewy flight to replace random search and giving different weight values to the crow individual components;

step B5: and obtaining a new position updating formula of the crow by self-adaptive dynamic sensing probability, a weight value in an entropy weight method and the Lev flight, namely the ICSA model.

5. The network intrusion detection method based on the improved CSA optimization SVM according to claim 4, wherein the specific steps of generating the crow initial population by using latin hypercube in the D-dimensional search space with the population number N are as follows:

step B11: taking the crow population number N as a sampling scale;

step B12: dividing the search space of the position variable of each crow into N equal intervals;

step B13: generating an N x D matrix, each column of the matrix being a random arrangement of [1,2, …, N ];

step B14: each row of the matrix corresponds to only one small hypercube, and then a sample is generated within the small hypercube, i.e., corresponding to the crow individuals in the crow population.

6. The improved CSA-optimized SVM-based network intrusion detection method of claim 4, wherein: the ICSA model in the step B5 is as follows:

wherein ,is the position of the U-th crow when the t iteration is carried out, t represents the current iteration number, and t=1, 2 and … t _max ；t _max Is the maximum number of iterations; levy (κ) represents the lewy flight; r is (r) _U ,r _δ ∈[0,1]Is a uniformly distributed random value; />Is the flight length of the U-th crow when iterating for the t time; h _U Is the index weight of the U-th crow; />Is the memory position of the delta-th crow when iterating for the t time; />Is the perception probability of delta-th crow when iterating for the t time; a is a scaling factor, a=0.01; kappa is a constant, kappa = 1.5; v and u both obey normal distribution, v obeys standard normal distribution, u obeys mean value 0, and variance sigma ² Is a normal distribution of (c).

7. The improved CSA-optimized SVM-based network intrusion detection method of claim 1, wherein said training SVM model comprises the specific steps of:

may be described as { x } for E input samples _q ,y _q Q represents q input samples, q=1, 2, …, E, y _q ∈{-1,1}，x _q Representing input features, y _q Representing the output class, the purpose of the SVM is to find an optimal classification hyperplane, separate the different classes on the two sides furthest from the optimal hyperplane, the formula of the optimal hyperplane is expressed as w·x+b=0, where w is the weight vector and b is the bias; the hyperplane constraint formula for the SVM is as follows:

wherein ,φ(x_q ) Representing the mapping;is a classification interval, which takes the minimum value to be the optimal hyperplane;

when the data in the SVM is nonlinear, a relaxation factor xi and a penalty factor C are added in the SVM to punish samples with wrong classification, and then the optimization problem is converted into the following formula:

the above formula is converted into Lagrange multiplier method expression, and the formula is as follows:

wherein , and β_q 0 is equal to or greater than x _q Each variable in the above formula is derived to zero, and the derived formula is converted into a solution convex quadratic programming problem by a dual theory, wherein the formula is as follows:

when the nonlinearity of the SVM maps the low-dimensional solution to the high-dimensional space, a kernel function is introduced, and the formula is as follows:

kenerl(x _q ,x _θ )＝φ(x _q ) ^T φ(x _θ )

the classification expression of the SVM can be obtained as follows:

where sign is a classification symbol, θ represents θ input samples, θ=1, 2, …, E, q+.θ; x is x _θ Representing the input features and d representing the kernel parameters in the SVM model.

8. The improved CSA-optimized SVM-based network intrusion detection method of claim 1, wherein the specific steps of constructing the icsa_svm model are:

step C1: setting ICSA initialization parameters, including parameter setting and population initialization, wherein the parameter setting comprises crow population number N and maximum iteration number t _max And a flight length fl.

Initializing a population: initializing a crow initial population by using Latin hypercube, wherein the parameters to be optimized are a kernel parameter d and a penalty factor C in an SVM model, so that the model is a 2-dimensional search space, and (d, C) is the crow initial position, and the formula is as follows:

wherein ,represents +.>Position of crow only, ++>Indicate->Radix seu herba Gei aleppici>

Step C2: calculating the fitness value of the initial crow population to obtain the memory position of the crow, and training an SVM model by using the memory position of the crow, wherein the formulas of the memory position and the accuracy rate of the crow are as follows;

wherein ,represents the memory position of the phi-th crow after t iterations, phi represents the phi-th crow, phi = 1,2, … …, N, and +.>accuracy represents the accuracy of intrusion detection of the present invention.

Step C3: generating a new position of the crow according to the ICSA model; determining whether the new position is feasible, if the new position is positioned in the search space, the crow flies to the new position, otherwise, the crow stays at the original position;

and calculating the fitness value of the new position of the crow again, if the fitness value of the new position of the crow is better than the optimal memory position of the new position of the crow, updating the memory position of the crow, otherwise, not updating, wherein the memory position has the following formula:

updating crow according to fitness valueThe updated formula is as follows:

wherein f (·) is the fitness function;

step C4: if it reaches the set t _max Outputting the current optimal memory position of the crow as a global optimal memory position, wherein the obtained global optimal memory position is the optimal parameter combination (d, C) of the SVM model, otherwise, turning to the execution step C3.

9. An intrusion detection device, comprising:

the preprocessing module is used for carrying out numerical processing on the intrusion detection data set to obtain corresponding characteristics of the current dimension after the sample data are mapped, and further obtaining a preprocessed training set and a preprocessed testing set;

the balance processing module is used for carrying out random undersampling on the preprocessed training set and oversampling processing of an improved self-adaptive synthesis algorithm to obtain a relatively balanced training data set;

the dimension reduction processing module is used for carrying out data dimension reduction processing on the preprocessed test set and carrying out data dimension reduction processing on the training set after the balance processing;

the training module is used for inputting the training set after the dimension reduction treatment into a pre-member and giving an improved support vector machine model optimized by the crow search algorithm to train so as to obtain an optimized and trained support vector machine model;

and the test module is used for inputting the test set subjected to the dimension reduction treatment into the optimized and trained support vector machine model for testing, and obtaining a classification detection result.

10. An electronic device, characterized in that: including a processor and a storage medium; the storage medium is used for storing instructions; the processor is operative to perform the steps of the intrusion detection method according to any one of claims 1 to 8 according to the stored instructions.