| In confront of large-scale network intrusion detection and increasing intrusion means, single-machine intrusion detection system cannot meet the detection requirement regarding the computing speed and rule storage. Modular neural networks, which decomposed tasks to learn, proposed an efficient solution to this problem. The different segmentation methods, however, limited its application, as it caused varying study effects. Diversity of attack and normal data flow determined that the intrusion detection must apply random or under simple rules segmentation to conduct distributed learning. But the learn result cannot be affected. This research analyzed the network data characterizations and related intelligent learning algorithms, and proposed a new learning method that could greatly reduce sample segmentation relevance, based on the research of network traffic monitoring, network data learning, data integration etc, which could complete task decomposition and integration learning.In order to support the integrating learning, we also researched the neural network structure optimization problem, enhanced the generalization ability by pruning the useless neurons and further improved the learning effect.Based on network security related monitoring and detecting content, we proposed a network performance scoring model that could supervise the learning algorithm effect from quantitative point of view reflecting the anti-intrusion and survivor ability of the network.Detailed content were as followed:(1)Establish a dynamic network traffic flow monitor system based on ARIMA modelNetwork traffic flow was abrupt and periodic. Many modeling methods always establish the model as stable flow. We firstly smoothed the traffic flow and extracted the noise information. Then model was established based on ARIMA, in the meantime, a dynamic monitoring system based on the model was established, which could predict the traffic property in the coming hours. Traffic flow was monitored according to traffic characterization where unusual traffic flow could be alerted. This method to some extent, avoided the high false alteration rate that was due to the single threshold setting.(2) Propose an incremental learning method to multi-classification SVMThe advances in high dimension learning of SVM could solve the incremental learning problem in the data of large-scale network intrusion detection. SVM learning samples were convex quadratic after transforming by kernel function. The commonly used in model recognition was the closer samples from heterogeneous sample, thus ensuring the full partition between the samples and spared the most optimal hyperplane that maximum the distance between the two sample types. Our method utilized the separable property of the samples after kernel transformation, and deserved the edge data cluster as SV, in a certain extent, equivalent of retaining a shell of its cluster with certain thickness. These shells retained much enough SV data for hyperplane calculation within each model, and could significantly reduce the increasing data storage that happen using traditional KKT rule for incremental learning. In the meantime, the shell data choosing applied the Euclidean distance method, which had lower calculation and was easier to achieve. Result showed this method retained enough effective SV, improved the SVM incremental learning speed and accuracy, reduced data storage spaces, and was more suitable for multiple classification SVM incremental learning.(3) propose integrated learning method based on FCM clusteringLarge-scale network intrusion detection was basically to establish a comprehensive detection system that integrated learning result of each module. Although SVM could achieve great learning effect, it also depended upon the sample splitting method . SOM neural network learning benefited from the competition, namely, each winning neuron represented a sample model. The self-organizing clustering property, could further weaken the sample dependence of module learning. As Hebb learning method was introduced, the output differences between winning neurons widened. Therefore, utilize the winning neurons'properties in further vague clustering by FCM during integration method, each module of which was integrated and hereafter achieved modulated neuron network learning algorithm that uses SOM as basic learning method, FCM as the integrating method. From sample primary learning to further integration learning, sample dependence was avoided. In the meantime, while maintaining high accuracy based on SOM, the introduction of FCM could greatly reduce the number of iterations of learning, improving learning efficiency. Result showed this method in distributed intrusion detection system had a better detection rate and low false alarm rate.(4) propose Kalman fiter-based neural network pruning algorithmTo solve the over-fitting and consequent neural network learning effect decline that commonly happened, we proposed Kalman fiter-based pruning algorithm. The main idea came from classic neural network pruning algorithm OBD, which pruning and removing part of the neurons. Kalman fiter utilized state equation and measurement equation to predict the output changes of neurons and neural network, find out the order of importance, identify the unrelated or negatively related neurons, and prune this part of network node. Unlike the traditional pruning method that introduced punishment during learning procedure, this method focused solely on learning completed neural network, and won't disturb the learning procedure nor will delay the learning time period. Result showed, this prediction method could implement the pruning of neurons, and could improve the learning accuracy of neural network.(5) propose a comprehensive method on networkThe current anti-intrusion evaluations of network were mostly conducted with respect to network threat and loopholes in the network, with varying parameters and algorithms. In order to establish experimental conditions, the network traffic monitor mentioned above and related intrusion detection algorithm were integrated, and based on multi-factors that contributed to the commonly happened problems, we propose a quantification parameter with intrusion detection result as on of the network performance parameter. The possible influence to network of different intrusion means were set as input parameter. And we gave a performance evaluation equation, which could quantified the network performance and hereafter evaluate the network performance and test intrusion detection result.
|
PDF Full Text Request