Research Of Support Vector Machine And Its Application In Intrusion Detection

Support Vector Machines (SVM) is a novel algorithm of machine learnining issued in 90's of last century, which is based on the statistic learning theory. It puts more attentions to the information provided by the samples. In order to solve a complicated task, its key method is to map the vectors from input space to feature space. As a structure risk minimized implement, support vector machines has the advantages of global optimization, simple structure and high practicability.Intrusion detection in nature is a problem of pattern recognition. Using SVM to build the model of intrusion detection can not only solve the problem of poor generality resulted from the lack of all kind of data, but also increase the detection rate, decrease the false positives and false negatives, so improve the practicability of intrusion detection systems. In this paper, the theories of SVM and IDS are studied deeply, and based on that, the following works are done:1. When applied to online detection, SVM needs very fast training speed. In order to increase its training speed, one method is to use sampling algorithm. In this part, we not only introduce the current researches about this, but also put forward an opposite boundary model based sampling algorithm for SVM. Experiments show that after adding this sampling algorithm to LIBSVM, it becomes very faster and needs less space than before, while keeping the old high accuracy.2. According the fact that the size of intrusion data is very large and increases every day, this paper proposes an increment learning method based on the opposite boundary model and space division, and dwells on this increment learning method.3. In this part, we research the important parts in algorithm: SVMLight and SMO, because the LIBSVM refers to these contents.4. Firstly, we research the intrusion and its expression methods, and then analyze the KDDCUP99 intrusion data detailedly. After that, we transfer the format of KDDCUP99 data into the format which the LIBSVM supports, and do some kinds of experiments on these intrusion data using the improved LIBSVM. Through compared with LIBSVM and others, the improved LIBSVM shows not only good efficiency of time and space, but also high detection rates.