Documente Academic
Documente Profesional
Documente Cultură
Intrusion Detection
Qinglei Zhang , Gongzhu Hu , Wenying Feng
1. Introduction
As network technology, particularly wireless technology, advances rapidly in recent years, making network secure has become extremely critical more than
ever before. While a number of effective techniques
exist for the prevention of attacks, it has been approved
over and over again that attacks and intrusions will
persist and always be there. Although intrusion prevention is still important, another aspect of network
security, intrusion detection [11], [17], is just as important. With trenchant intrusion detection techniques,
network systems can make themselves less vulnerable
by detecting the attacks and intrusions effectively so
w 1
w 1
2
H
1
1
Figure 1. Decision boundaries of two linearlyseparable classes.
for = 1,
for = 1.
w2 /2
(wx ) 1 for all 1 .
( , )
( ) =
1
()
Storage: Disk
all point index: integer list
classfier index: integer
SVM classifier: array of real
ACO classifier: array of real
init() : void
classify() : void
....
classify:
SVM classifying
ACO classifying
Cache1
Lagrange point
ponit no: integer
target value: -1 or 1
Lagrange multiplier: real
SVM training
optimize:
Examine the KTT conditions;
find out the second point
for joint optimization;
optimize the two multipliers.
AC clustering
Neighborhood
neightbor #: integer
neighbors index: integer array
swarm similarity: real
Normal
97277
DoS
391458
U2R
52
R2L
1126
Probe
4107
Total
494021
Confidence Interval
1 3
2 3
(2.07, 2.44)
(3.31, 19.65)
(-6.38, 10.07)
(2.27, 2.85)
(-0.16, 0,42)
(19.43, 23.77)
(-2.11, 2,23)
Measure
SVM
ACO
4.231
5.645
3.388
66.702
80.100
78.180
5.536
2.846
2.776
21.900
0.360
0.300
CSVAC
false positive
false negative
80
60
40
20
SVM
ACO
CSVAC
Algorithm
CSVAC
KDD99 Winner
94.86
95.30
6.01
4.25
1.00
3.00
The comparison results indicate that the new algorithm is comparable to the KDD winner in terms of
average detection rate as well as false positive rate
and even better than the KDD winner in term of false
negative.
5. Conclusion
Machine learning techniques, both supervised and
unsupervised, are ideal tools for network intrusion
detection. In this paper, we have discussed several
primary learning approaches, particularly the Support
Vector Machine (SVM) and Ant Colony Optimization
(ACO), for intrusion detection, and presented a new
method (CSVAC) that combines SVM and ACO to
achieve better performance for faster training time by
reducing the training data set while allowing dynamically added training data points.
The experimental results indicated that CSVAC performs better than pure SVM in terms of higher average
detection rate and lower rates of both false negative and
false positive; and it is better than pure ACO in terms
of less training time with comparable detection rate
and false alarm rates. The performance of the CSVAC
algorithm on the experimental data is also comparable
to the KDD99 winner.
Differing from other commonly used classification
approaches (such as decision tree, nearest-neighbor,
etc.), there is no need for classifier re-training in
the proposed CSVAC algorithm for new training data
arriving to the system.
We are currently conducting more tests on the
algorithm, and working on other machine learning
methods, such as neural networks, that can be added
to the system as new modules.
References
[1] Alan Bivens, Mark Embrechts, Chandrika Palagiri,
Rasheda Smith, and Boleslaw Szymanski. Networkbased intrusion detection using neural networks. In
Proceedings of the Artificial Neural Networks In
Engineering, pages 1013. ASME Press, 2002.
All in-text references underlined in blue are linked to publications on ResearchGate, letting you access and read them immediately.