KR100686399B1 - Lightweight intrusion detection method through correlation based hybrid feature selection - Google Patents

Abstract

A lightweight intrusion detection method through correlation based hybrid feature selection in a computer is provided to remarkably reduce a training and testing time while keeping a stable feature detection result, a low false detection rate, and a high detection rate. Preprocessed checking data from checking data is classified into a training dataset and a testing dataset. The training dataset is classified again into a feature selection dataset processing through a hybrid feature selection process based on correlation resulted as a set of selected features, a model building dataset used for constructing an intrusion detection model using the selected feature, and a verification dataset. The intrusion detection model is verified by the verification dataset and is tested by the testing dataset. The correlation based hybrid feature selection process is sent to the modeling dataset having the reduced feature and the verification dataset having the reduced feature through an adder. The modeling dataset and the verification dataset are sent to a classification model through machine learning and verification.

Description

Lightweight Intrusion Detection Method Through Correlation Based Hybrid Feature Selection}

1 is an overall configuration diagram for explaining a lightweight intrusion detection system through the correlation-based hybrid feature selection of the present invention,

2 illustrates a gene representing a feature vector or set of selected features;

3 is a flowchart illustrating a hybrid feature selection algorithm based on the correlation of the present invention;

4 is a model construction time versus dataset index,

5 is the model testing time versus dataset index,

6 shows the detection rate versus the dataset index,

7 is the false positive rate vs. dataset index.

* Explanation of symbols for the main parts of the drawings

10: inspection data 11: preprocessed inspection data

20: training dataset 30: testing dataset

40: modeling dataset 50: validation dataset

The present invention relates to a lightweight intrusion detection method through correlation based hybrid feature selection on a computer, and more particularly, a lightweight intrusion based on a new feature selection method called hybrid feature selection based on correlation. A new method for modeling detection systems (IDS).

Existing research methods for modeling intrusion detection systems (IDS) have focused on providing new techniques for improving existing intrusion detection systems based on classification algorithms and feature selection. First, in terms of modeling an intrusion detection system, many studies have classified classification algorithms, such as clustering algorithms and artificial neural networks (ANN), hidden Markov models (HMM), support vector machines (SVM), k-means clustering, and fuzzy. Intrusion detection model has been proposed based on various kinds of soft computing research methods such as technology.

Multi-step intrusion is modeled using the Hidden Markov Model (HMM), which shows that the Hidden Markov Model outperforms classical machine learning such as decision trees and artificial neural networks. The most important disadvantage of modeling an intrusion detection system as a hidden Markov model is that it requires a large amount of computational resources.

The support vector machine (SVM) technique has been applied to the intrusion detection system, which is used for abnormal pattern detection. It shows that various kinds of support vector machines can identify normal network traffic and abnormal network traffic. At this time, the abnormal characteristics can be predicted by training a support vector machine of non-supervisor learning with normal or attacked free data. The other type uses a robust support vector machine for intrusion detection and compares it with the existing support vector machine and k-short clustering technique.

On the other hand, efforts have been made to calculate important features or feature sets to minimize the load on the detection model as well as to maximize the detection rate. Here, the term of feature selection is to select a feature that is effective to identify among the plurality of features extracted from the superficial pattern in pattern recognition. We have proposed a method for identifying important features.

The wrapper method applies a machine learning algorithm to evaluate the superiority of the feature or feature set. The wrapper method uses the classification rate of the learning algorithm as an evaluation tool and provides better performance in selecting the appropriate features. On the other hand, the filter method does not use any machine learning algorithms for feature selection, but rather training data to assess the relevance of a feature or feature set by some independent tools, such as distance tools, correlation tools, and compatibility tools. Use the basic features of

Although some feature selection techniques are used in the fields of web and data mining, and voice recognition, however, very little relevant research exists in the field of intrusion detection.

Efforts to identify and classify features based on their importance to detect specific types of attacks such as probes, Denial of Service (DoS), Remote-to-Local (R2L), and User-to-Root (U2R) It was. As the feature selection algorithm, a back selection method and a support vector machine and a neural network (NN) have been used. This proposed a rule for classifying features in stages according to feature weights in classification accuracy, training and testing rates. In addition, we proposed a feature selection method based on the genetic algorithm (GA), in addition to several PCA (Principle Component Analysis) and ICA (Independent Component Analysis) methods. It has been proposed to reduce the load on the detection system and increase the detection rate.

However, these methods still have a heavy load because of the large amount of computation required for the classification and cross-validation methods required to minimize generation errors. They sought to improve the performance of the system by merely improving the performance of the classification algorithm based on changes in parameters and initial conditions. However, this approach incurs more computation since it deals with a given feature of the related or unrelated whole. Moreover, because the feature set selected as a result of feature selection varies with the detection model, they are not more appropriate in terms of the implementation of a lightweight intrusion detection system.

As described above, in order to improve the performance of the conventional intrusion detection system, there are methods of adjusting the coefficients of the intrusion detection model and selecting the characteristics of the inspection data of the intrusion detection system. First, the former is a technology that is almost mature by optimizing its coefficients according to new detection algorithms. On the other hand, the latter is an important factor in increasing the intrusion detection rate while lowering the processing load on the inspection data of the intrusion detection system among the characteristics of the inspection data of the intrusion detection system, and much more research is needed than the former.

As a method for processing the features of the inspection data, there are a wrapper scheme and a filter scheme. The wrapper scheme erases the characteristics of a single inspection data, and at this time, how important the features are by repeating learning and testing with an intrusion detection algorithm. Although this method can be used to select a good feature when using a good intrusion detection algorithm, the time required for learning and testing these important features is long, the distinction between features is poor, and the performance of the detection algorithm is low. According to this, there is a disadvantage that it may be affected by the characteristics of the data.

Unlike the wrapper method, the filter method is a method of finding important features based on the correlation between the characteristics of the inspection data and the correlation between the characteristics of the inspection data and the type of the inspection data, regardless of the intrusion detection algorithm. This scheme is faster than the regular wrapper scheme, but has the disadvantage of reducing the intrusion detection rate because it is not related to the detection algorithm.

The hybrid feature selection method based on the correlation of the present invention, like the stable feature detection result, can significantly reduce the training time and the testing time while maintaining a high detection rate with a low false detection rate, for example, KDD (Knowledge Discovery). in Databases) 1999 Experimental results on intrusion detection datasets aim to provide a lightweight intrusion detection system through correlation-based hybrid feature selection that can demonstrate the feasibility of a methodology that enables the modeling of lightweight intrusion detection systems. The purpose is to.

The present invention for achieving the above object comprises the steps of having the pre-processed inspection data from the inspection data to be classified into a training data set and a testing data set; The training dataset is a feature selection dataset processed through a hybrid feature selection process based on a correlation resulting in a set of selected features, a model building dataset used to build an intrusion detection model using the selected feature, and validation. Further categorizing into a dataset; And wherein the intrusion detection model is verified by the verification dataset and then the intrusion detection model is tested by the testing dataset.

Another specific means of the present invention uses genetic algorithms to generate an initial population of subsets of features; Evaluate each subset based on correlation-based feature selection algorithms, choose the best subset possible, and use this feature subset to find intrusion detection rates with support vector machines and determine their detection rates. Setting best, this operation is repeated until a better subset for the next generation is not selected or the maximum generation of the genetic algorithm is reached; Like all probabilistic algorithms, the initial population of genes is randomly generated, the Merit of each gene is calculated by correlation-based feature selection, and the gene with the highest Merit θbest is the most optimal subset of features in the population. Expressing Sbest, and this subset is evaluated by the classification algorithm of the support vector machine and the resulting value is stored in θbest representing the metric of the evaluation; Genetic operators such as selection, crossover and change are performed to create a new population of genes, the most optimal gene or feature subset in each generation compared to the previous optimal subset Sbest, with the new subset being the old one If more optimal, allocate it to the most optimal subset, which subset is evaluated by the support vector machine; If the new detection rate is higher than the previous one, this value is θbest and the algorithm continues to run, and if the new detection rate is not higher than the previous one, Sbest is the optimal subset of features, and the best subset is found within the next generation. If not, or if the maximum number of generations is reached, the algorithm is terminated.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

The present invention provides a new method for modeling a lightweight intrusion detection system (IDS) based on a new feature selection method called hybrid feature selection based on correlation. Accordingly, the hybrid feature selection method based on the correlation of the present invention can significantly reduce the training time and the testing time while maintaining a high detection rate with a low false positive rate, as in the stabilization feature selection result. For example, experimental results in the KDD 1999 intrusion detection dataset show the feasibility of a methodology that makes it possible to model lightweight intrusion detection systems.

FIG. 1 is an overall configuration diagram of a research method developed by the present invention, wherein preprocessed inspection data 11 from audit data 10 is classified into two data sets. That is, it is classified into training data set 20 and testing data set 30. Here, the inspection is a review or overhaul of the records and activities of a flexible data processing system to test the validity and validity of the level of data protection and the integrity of the data.

The training dataset 20 is further classified into three sets: feature selection dataset, model building dataset and verification dataset. The feature selection is to select features that are effective for identification among the plurality of features extracted from the target pattern in pattern recognition so as to be among them.

First, the feature selection dataset is processed through a hybrid feature selection process 25 based on the invented correlation that results in a set of selected features. This is sent through summer 27 to modeling dataset 40 with reduced features and verification dataset 50 with reduced features, respectively. Thus, the modeling dataset 40 and the verification dataset 50 are classified into a classification model 70 through machine learning and verification 52.

The model building dataset is used to build an intrusion detection model using the selected feature, and the intrusion detection model is verified by the verification dataset. The intrusion detection model is then tested by the testing dataset 30. This is sent to the testing dataset 60 with the reduced feature through the cutoff unselected feature 31. Thus, the testing dataset 60 is sent to the classification model 70 described above and divided into respective class levels 80.

The feature selection dataset in the training dataset 20 describes the correlation based feature selection and the correlation based hybrid feature selection, respectively.

First, the feature selection based on the correlation involves a conventional filter method, and finds a feature subset that is most optimally relevant in the class and does not include extra features. This method evaluates the superiority of the feature subset based on the fact that "a good subset of features contains highly correlated features in the class and they are not yet correlated".

This is a feature-class correlation and a feature-feature correlation. First, the feature-class correlation indicates how many features are correlated with the specified class. The feature-feature correlation is a correlation between two features. Equation (1), known as the Pearson correlation, provides the superiority of the feature subset, including k times of feature.

--- (1)

--- (One)

는 평균 특징 - 클래스 상관관계,

는 평균 특징 - 특징 상관 관계이다.

와

의 평가를 위하여, 특징 간의 상관관계와 특징과 클래스 간의 상관관계를 계산할 필요가 있다. 이산 클래스문제에서 상관관계를 기반으로 한 특징선택은 먼저 Fayyad와 Irani 기법을 사용하여 수치 특징을 이산화한 후, 이어 이산 특징 간의 관련성의 정도를 평가하기 위하여 대칭적인 불균형(수정된 정보이득 측정법)을 사용한다.In the above formula (1),

Mean-class correlation,

Is the mean feature-feature correlation.

Wow

In order to evaluate, it is necessary to calculate the correlation between features and the correlation between features and classes. Correlation-based feature selection in discrete class problems first discretizes numerical features using the Fayyad and Irani techniques, and then uses symmetrical imbalance (corrected information gain measurement) to evaluate the degree of relevance between discrete features. use.

--- (2)

--- (2)

In the formula (2), H (X) and H (Y) represents the entropy of the features X and Y. Because symmetrical imbalance is a symmetry measure, it is used to measure feature-feature correlations where there is no concept of class attributes. For continuous class data, the correlation between attributes is a standard linear correlation. This is a straight line when both properties involved are contiguous.

--- (3)

--- (3)

In Equation (3), X and Y are two consecutive feature variables expressed based on the deviation. Another important thing to calculate Merit in equation (1) is to generate a subset. Generating feature subsets from a given feature set is an NP-Hard problem, which is optimal to be solved by comprehensive research.

However, this is only possible for a small number of features. If the total number of features is n, there are a total of 2 ms subsets. That is, the KDD 1999 intrusion detection dataset contains 41 features in total, and there are 2.199e + 12 subsets, which is a very large number. Accordingly, there is a need for heuristic search techniques such as simulated annealing algorithms, hill climbing algorithms, optimal priority algorithms, genetic algorithms, and the like.

The genetic algorithm is a probabilistic search algorithm based on advanced ideas of natural selection and genetics. Although genetic algorithms use random search techniques, they are not random. The genetic algorithm converges towards the optimal solution by applying the appropriate function of the search. The genetic algorithm also expresses setting various global optimals by using genetic operators such as change and crossover.

Thus, the present invention uses genetic algorithms to generate feature subsets. The genetic algorithm is performed on a population of solutions and finds the optimal solution in the population solution. In order to search using the genetic algorithm, it is necessary to initialize or build a population of candidate solutions.

Each candidate solution is represented by a chromosome. This chromosome consists of one or more genetic factors. Each genetic factor expresses a characteristic. In the KDD 1999 Intrusion Detection Dataset, each instance consists of 41 features. Thus, each gene consists of 41 genes, each of which is a binary bit indicating the presence or absence of a feature in that gene. If the value of a particular gene is 1, it represents the presence of the corresponding feature in that gene or feature vector.

2 illustrates a gene representing a feature vector or set of selected features. Each gene needs to be evaluated against an evaluation function. The choice of evaluation function depends on the domain in question.

In the case of the present invention, the feature selection based on correlation serves as an evaluation function. This function evaluates each gene using the aforementioned Merit of a gene (feature set). Since genetic algorithms are based on "best survival", the putative gene (specific set) is selected through roulette wheel selection . After the selection process, genetic operators such as crossovers and changes are performed to build up the population of the best genes as the next generation.

In general, the genetic algorithm is expressed as follows.

Initialize the population.

Evaluate the initial population.

DO

Make a selection.

new Solution  For change (crossover and change operator)

Within a population Solution  Evaluate.

While   If the termination condition is not met

On the other hand, in the hybrid feature selection based on correlation, the hybrid feature selection algorithm of the present invention is a sophisticated combination of the above-described correlation based feature selection and the support vector machine. As in intrusion detection problem, we apply support vector machine which shows good performance pattern expression. The hybrid selection algorithm of the present invention is shown in FIG.

3 is a flowchart of a hybrid feature selection algorithm based on the correlation of the present invention, wherein the support vector machine is an algorithm used in the intrusion detection model as a classification algorithm. Genetic algorithms are used to generate an initial population of subsets of features (see FIG. 2). Here, 41 features are encoded using a genetic algorithm.

Each subset is then evaluated on the basis of a feature selection algorithm based on a previously defined correlation (see equations (1), (2) and (3) above). Choose the best subset, that is, 2, 3, 6, or 9 of the 41 features can be the best subset. With this subset of features, we get the intrusion detection rate with the support vector machine and set the detection rate to the best. This task is repeated until no better subset is selected for the next generation or until the maximum generation of the genetic algorithm is reached.

As mentioned above, genetic algorithms are used to generate a subset of features from a given feature set. The invented algorithm takes all features as input and outputs an optimal subset of features after being evaluated by correlation based feature selection and support vector machines. Each gene represents a feature vector. The gene is 41 genes in length, and each gene (bit) has a value of 1 or 0. Each of these values indicates whether or not the feature is included in the feature vector.

As with all probabilistic algorithms, the initial population of genes is randomly generated. Merit of each gene (see equation (1)) is calculated by correlation based feature selection. The gene with the highest Merit θbest represents the most optimal subset of features Sbest in the population. This subset is evaluated by the classification algorithm of the support vector machine, and the resulting value is stored in [theta] best representing the metric of the evaluation. Here, the intrusion detection rate is selected as a metric even though a complex measure such as a combination of a detection rate and a false detection rate or a rule-based measure can be used.

Thus, genetic operators such as selection, crossover and change are performed and a new population of genes is created. In each generation, the most optimal gene or feature subset is compared to the previous optimal subset Sbest. If the new subset is more optimal than the previous one, it is assigned the most optimal subset. This subset is then evaluated by the support vector machine.

If the new detection rate is higher than the previous one, this value becomes θbest, and the algorithm continues to run. If the new detection rate is not higher than the previous one, Sbest is the optimal subset of features. The algorithm terminates when the best subset is not found within the next generation, or when the maximum number of generations is reached.

The experiments and their results of the present invention are shown in FIG. 1 as the overall structure is described above. To demonstrate the feasibility of the present invention, several experiments are performed on the KDD 1999 intrusion detection dataset. The present invention is divided into three parts: 1) feature selection, 2) training and 3) testing. The following describes the experimental dataset, experimental environment, and experimental results.

Two class datasets-preprocessed datasets labeled with the KDD 1999 CUP-to make normal and attacked. The dataset contains a total of 494,021 instances, of which 97,278 (19.69%) are healthy and 396,743 (80.31%) are attacked. The dataset contains 24 different types of intrusions, which are broadly divided into four groups. That is, it is classified into a group of probes, denial of service attacks (DoS), U2R, and R2L. In order to keep the distribution of the dataset unchanged, we sampled 15 different datasets with 20995 instances from the original data by a uniform random distribution. Each instance of data consists of 41 properties, labeled x1, x2, x3, x4, and so on.

In the present invention, only DoS type of attack will be used, which has a very small number of instances of other types of attacks, and thus such an attack is not suitable for the experiment of the present invention.

In the experimental environment of the present invention, all experiments are performed on a Linux (Fedora core 3) machine, and the Linux machine used is composed of Intel Pentium 4, 2.0GHz, 512MB RAM, kernel version 2.6.9-1.667. We use the open source WEKA library for feature selection algorithms based on support vector machines and correlations. To implement the developed algorithm, we have a modified WEKA library of several classes, such as "weak.attributeSelection.GeneticSearch".

For feature selection, a random dataset is selected from 15 datasets, and the algorithm of the present invention is applied as described above. Ten fault class proofs are applied to obtain low generalization errors and to determine intrusion detection rates.

The optimal subset selected shows a detection rate of 99.56%. Indicators of the selected feature are x1, x6, x12, x14, x23, x24, x31, x32, x37, x40 and x41. The size of the feature vector is reduced from 43 to 12, which shows an excellent performance with a classification ratio of more than 99%.

In training and testing, we performed 15 experiments on different datasets with full and selected features. Each dataset is divided into a training set and a testing set, each containing 15740 instances and 5255 instances. 4 to 7 compare different performance indicators.

4 demonstrates that the model building time with reduced characteristics is dramatically reduced as expected because the feature selection process divided 70% of the total number of features. In addition, the testing time shown in FIG. 5 exceeds the model training time.

FIG. 4 is model construction time versus dataset index, FIG. 5 is model testing time versus dataset index, FIG. 6 is detection rate versus dataset index, and FIG. 7 is false positive rate versus dataset index.

For the selected feature, even if the detection rate is lower than having the full feature, the reduction is very small, which is in the range of 0.83% on average (see FIG. 6).

However, significant performance is obtained due to a reduction in false positive rate, with an average of 37.5% (see FIG. 7). For all the above experiments, WEKA uses a polynomial kernel with an index of 1 and c = 1, which is the default value for the support vector machine classifier. No measurements were used to optimize the kernel, and determining the support vector machine parameters as the primary objective in the present invention is how computational selection is made while feature selection maintains detection and false detection rates within an area that can be overcome. Is to investigate whether

The enhancement of the optimization between detection rate and false detection rate and detection rate can be further improved by parameters that execute and apply better kernel functions and improve the classification algorithm. However, feature selection increases this optimization.

Although the technical concept of the light intrusion detection system through the correlation-based hybrid feature selection of the present invention has been described based on the exemplary drawings, this is illustrative of the best embodiments of the present invention and the claims of the present invention. It is not limited. It will be apparent to those skilled in the art that various modifications and imitations can be made without departing from the scope of the technical idea of the present invention.

As described above, the present invention provides a new method for modeling a lightweight intrusion detection system through a hybrid feature selection based on correlation. The present invention shows that the training time and testing time are reduced in orders of magnitude instead of excluding the reduction in detection rate. It also shows uniformity of detection rate and false positive rate between different datasets. Rapid training and testing helps to build a lightweight intrusion detection system, as well as providing ease of maintenance or modification of the model provided.

In the future, as well as characterizing the types of attacks such as DoS, probes, U2R, and R2L, we will explore the possibilities of implementing the technique under real-time intrusion detection environments, increasing the capabilities and capabilities of intrusion detection systems.

Claims (9)

The preprocessed inspection data from the inspection data is arranged to be classified into a training data set and a testing data set; The training dataset is a feature selection dataset processed through a hybrid feature selection process based on a correlation resulting in a set of selected features, a model building dataset used to build an intrusion detection model using the selected feature, and validation. Further categorizing into a dataset; Wherein said intrusion detection model is verified by a validation dataset and thereafter said intrusion detection model is tested by a testing dataset. The method of claim 1, The correlation-based hybrid feature selection process is sent through a summer to a modeling dataset with reduced features and a validation dataset with reduced features, respectively, wherein the modeling dataset and the validation dataset are machine learning and validation. Lightweight intrusion detection method through correlation based hybrid feature selection on a computer characterized in that it was sent to the classification model through. The method of claim 1, The testing dataset is sent to a testing dataset with reduced features through a cutoff non-selected feature, which is then sent to a classification model and divided into respective class levels. Lightweight intrusion detection method through hybrid feature selection. The method according to claim 1 or 2, The hybrid feature selection algorithm is a lightweight intrusion detection method through the correlation-based hybrid feature selection on the computer, characterized in that the combination of the correlation-based feature selection and the support vector machine. Generate an initial population of subsets of features using genetic algorithms; Evaluate each subset based on correlation-based feature selection algorithms, choose the best subset possible, and use this feature subset to find intrusion detection rates with support vector machines and determine their detection rates. Setting best, this operation is repeated until a better subset for the next generation is not selected or the maximum generation of the genetic algorithm is reached; Like all probabilistic algorithms, the initial population of genes is randomly generated, the Merit of each gene is calculated by correlation-based feature selection, and the gene with the highest Merit θbest is the most optimal subset of features in the population. Expressing Sbest, and this subset is evaluated by the classification algorithm of the support vector machine and the resulting value is stored in θbest representing the metric of the evaluation; Genetic operators such as selection, crossover and change are performed to create a new population of genes, the most optimal gene or feature subset in each generation compared to the previous optimal subset Sbest, with the new subset being the old one If more optimal, allocate it to the most optimal subset, which subset is evaluated by the support vector machine; If the new detection rate is higher than the previous one, this value is θbest and the algorithm continues to run, and if the new detection rate is not higher than the previous one, Sbest is the optimal subset of features, and the best subset is found within the next generation. Lightweight intrusion detection method through correlation-based hybrid feature selection on a computer, characterized in that the algorithm is terminated when it is not supported or when the maximum number of generations is reached. The method of claim 5, Lightweight intrusion detection method through correlation based hybrid feature selection on a computer, characterized in that for encoding 41 features using the genetic algorithm. The method according to claim 5 or 6, The genetic algorithm is used to generate a subset of features from a given feature set, which takes all the features as input and is evaluated by the correlation-based feature selection and support vector machine and then the optimal subset of features. Lightweight intrusion detection method through correlation based hybrid feature selection on a computer, characterized in that the output set. The method of claim 7, wherein Each gene expresses a feature vector, the gene has a length of 41 genes, and each gene has a value of 1 or 0, and each value includes or does not include the feature in the feature vector. Lightweight intrusion detection method through correlation-based hybrid feature selection on a computer, characterized in that whether or not. The method of claim 5, Lightweight intrusion detection method through correlation based hybrid feature selection on a computer, characterized in that the intrusion detection rate is selected as a metric even though a complex measure such as a combination of the detection rate and the false detection rate or a rule-based measure can be used.

Images