Support Vector Machine And Its Applications To Network Intrusion Detection

Support vector machine(SVM) is a new machine learning method and the result of approximate 40 years research on statistical learning theory. Its characteristics are small training set, good generality, global optimization and extensive applications. It has been successfully applied to fields such as pattern recognition, signal processing, control systems etc. In addition, by selecting different kernel functions, SVM can be used to produce various machine learning networks such as RBF networks, FF neural networks. SVM overcomes some problems met during the process of using other learning methods, for example, local optimization, complex parameters, unstable results, etc. Due to its potential value, SVM have been paid more attention by many international famous researchers, and many improved or updated SVMs, for instance, adaptive SVMs, fuzzy SVMs, weighted SVMs, hyper sphere SVMs, et al. have been proposed.Along with the enlargement of computer networks and the fresh of network attack behaviours, network security has become a focus, and an important part of state security. As an important technical measure to safeguard the networks, intrusion detection is paid more attention by network users and researchers. In the transportation field, IDS also is of great application value. Many information systems such as intelligent transportation systems, ship information management systems and ship minitoring systems are based on networks. Although the information stored in them is less secret, network security affects the reliability of these systems, and therefore, network security affects the security of transportation of these vehicles.Intrusion detection in nature is a problem of pattern recognition. Using SVMs to build the model of intrusion detection can not only sovle the problem of poor general lity resulted from the lack of all kind of data, but also increase the detection rate, decrease the false positives and false negatives, so improve the practicability of intrusion detection systems.In this paper, the theory of SVM is studied, and the performance of some SVMalgorithms is analyzed, and the limitation of SVMs is pointed out. Moreover, the theory of intrusion detection is researched. According to the properties of intrusion detection and SVMs, a compound parallel model is proposed.The innovated works of this paper are:(1)Two weighted SVMs are proposed to solve the bias problems of C-SVM and v-SVM.When trained on uneven size of two classes, C-SVM and v-SVM biases toward the class with larger size, that is to say, the class with less size has more errors than the class with larger size. This problem prevents SVMs from being applied to more applications. In many applications such as fault diagnosis, intrusion detections, the sizes of classes are different. For these applications, the classification precise rate of the smaller classes is always more important than that of the larger classes. Therefore, conventional SVM algorithms are not most suitable to this kind of applications, and new SVM algorithms are required.(2)A new v-SVM is proposed to solve the bias problem of v-SVM and the limitation of its updated algorithms. Athough some related algorithms have been proposed, but there are some problems in them. The primary problems are that objective function is not intuitionistic, and the parameter v loses its initial meaning, and the meaning of new parameters is not clear. The new algorithm uses tow parameters v+i and v.i to replace the parameter v in v-SVM. v+i and v.i can not only be used to adjust error rates of positive class and negative class respectively, but also hold the initial meaning of v in v-SVM.(3)An auto-weighted support vector machines is proposed to solve the problem that SVMs probably produce multi-duplicate support vectors if there are mul ti -dupl i cate sampl es i n the trai ni ng sets. Thi s SV M uses a wei ght factor to stand for the duplication times of each training sample. Results of theoristical and experiments shows that auto-weighted SVM reqi res less time for training than other SVMs if the training set contain multi-duplicate samples, and requires I ess time for decision if other SV M s produce mul ti -dupl i cate support vectors.(4)A compound parallel intrusion detection model is proposed according to thecharacteristics of SVMs. In this model, various kinds of SVMs construct a parallel structure, bach SVM can be trained independedly and simultaneity. All SVMs detect the new data simultaneity in terms of their models produced by the training phase. Final decision is made by synthetizing the results of all SVMs.