Research On Intrusion Detection Based On Machine Learning

Intrusion detection, one of the most kernel technologies in dynamic security systems (P2DRR), plays a very important role in the deep defense hierarchy system of network, which is the key of the conversion from static defense to dynamic defense, and as well a powerful tool of forcibly implementing the security policy. With the increasing sophistication, diversification and automatization of network attack tricks, traditional intrusion detection systems (IDS) can't any longer meet the need of security. In order to withstand more and more frequent compound network attacks and hacker commitment of distribution, multiobjective, multistage nowadays, improve intrusion detection efficiency under the circumstance of high band width and large-scale network, decrease false negative rate and shorten detection time, incorporating advanced machine learning techniques into IDS is already a well-known thought.The dissertation mainly aims at applying several active machine learning strategies to intrusion detection and systematically studies signal analysis techniques of intrusion detection based on statistical learning theory (SLT), symbol inductive learning theory and genetic learning method. Meanwhile, performance comparison and evaluation among intrusion detection techniques based on different machine learning strategies are presented according to computational learning theory and statistical hypothesis test methodology.Intrusion detection is regarded as a pattern recognition problem in term of statistical learning theory; i. e., normal behavior and anomaly are distinguished on the basis of observed datum such as network flows and audit records of host. When a training sample set is unlabelled and unbalanced, attack detection is treated as outlier detection or density estimation of samples and one-class SVM of hypersphere can be utilized to solve it. When a training sample set is labelled and unbalanced so that the class with small size will reach a much high error rate of classification, a weighted SVM algorithm, i. e., dual v-SVM, is introduced into anomaly detection. Furthermore, the dissertation extends the binary SVM algorithm into multiclass SVM and illustrates the corresponding performance comparison experiment.Symbol inductive learning theory also has application in intrusion detection and its fundamental idea is considering intrusion detection as the problem of knowledge representation and rule extraction. Rough set theory is founded on indiscernibility relations and the common theory basis of this kind of machine learning. The dissertation explores the modeling approaches of normal behavior of process on the ground of knowledge representation and rule acquisition of Rough set. Besides it, a hybrid anomaly detection algorithm associating reduct of rough set with classification of SVM is proposed. The underlying idea is reducing data dimension in virtue of attribute reduct, then operating reduced and normalized datum using the binary v-SVM algorithm. The algorithm efficiently shortens detection time but not loses detection precision, thus it is more suitable for real-time intrusion detection.Another understanding about intrusion detection is viewing machine learning as a searching process, that is to say, intrusion detection is in essence the searching or approximation issue of intrusion rules in accordance to established searching strategy. After some concerned...