Study On Application Of Hybrid Soft-Computing Technique To Intrusion Detection

There are numerous problems on traditional IDS including low detection capability to unknown network attack, high false alarm rate, high resources occupation, poor connection and analysis of attacking data requiring excessive human participation, as well as weak defense capability against the common scripting attacks. In order to promote the efficiency of intrusion detection, decrease the false negative rate or false alarm rate under the modern high speed broadband network and large scale network background, introduction of intellgent learning method into IDS becomes an important development direction of IDS.In soft-computing technology, the neural network is usually applied in intrusion detection research. Hierarchical perceptron (MLP), hierarchical BP neural network model and self-organizing map (SOM) network have all gained great experimental effect in the application of intrusion detection. Genetic fuzzy rule mining based intrusion detection mainly studies rule encoding, fitness function evaluation, genetic operator design, etc. Artificial immune based intrusion detection mainly studies antibody-encoding, fitness function evaluation, degree of non-self spatial coverage evaluation, etc. The basic framework of negative selection and inheritance course remains unchanged.The performance promotion of intrusion detection system by hybrid soft-computing technology of fuzzy system, evolutionary system (artificial immune system) and neural network system is studied in this paper. The contribution of this paper is: (1) Detection rate of U2R is promoted by Hierichical SOM;(2)The genetic SOM-based IDS which uses genetic algorithm to optimize the neuron weights is proposed and the detection rate of new attacks is promoted;(3) A new IDS system to both improve the detection rate of new attacks and decrease the false-positive rate by hybrid soft-computing (combinding hierarchical SOM and artificial immune system) is proposed;(4) Performance of Classical Support Vector Machine(SVM) and Tree-SVM based IDS are compared.Firstly, Detection rate of U2R is promoted by Hierichical SOM. When SOM is used in anomaly detection, five kinds of samples (DOS, Probe, U2R, R2L and Normal) are crossed each other. This is the major reason of unbalanced detection rate of different attacks.In hierarchical SOM, U2R and NORMAL will be distributed to other neurons by layer adding, therefore the detection rate of U2R is promoted. But NORMAL and R2L are too similar to be divied, so only by combining host-base methods can R2L be detected.Secondly, this paper makes a research on IDS based on genetic SOM. Most of the work about IDS based on SOM has focused on clustering the data of IDS by SOM. As for the learning rate, more analysis has been carried out in the network structure and learning algorithm. In this paper, the combination of SOM and genetic algorithm is considered, namely using the genetic algorithm to search the optimal initial vector of connection weight of SOM. This paper mainly concentrates on: (1) researching the combination approach between genetic algorithm and SOM and specifically designing genetic operators such as chromosome encoding, population initialization, crossover and mutation operators, as well as fitness functions according to the characteristics of IDS; (2) analyzing the calculation time consumption and stability of the genetic SOM; (3) investigating the calculation of optimal vector of connection weight through the genetic operators. (4) promoting the detection rate of new attacks.The improvement of unknown attack detection (self-adapting) is an important research direction in intrusion detection. Artificial immune based intrusion detection has strong capability to detect new attacks, but it requires a long training time and the non-self space is covered randomly. Therefore, only combining artificial immune- based intrusion detection with other intelligent methods (hybrid system) can detection efficiency be greatly promoted. This paper proposes a new intrusion detection method named hybrid soft-computing. It includes two stages: firstly, using hierarchical self-organizing map (SOM) network to study and detect known attacks quickly. Secondly, using artificial immune system to find different space and filter the detection result of SOM for a second time so as to improve the detection rate of new attacks. This paper introduces fuzzy logic into artificial immune antibody-encoding and fitness evaluation, and enhances the searching speed precision by local search.Experiments show that the detection rate of hybrid system for known or unknown attacks is higher than that of single system of artificial immune, fuzzy rule mining or hierarchical SOM mechanism.Lastly, this paper studies the application of the hybrid SVM in IDS. There exists the"Unclassified region"problem of multi-class SVM based on decision tree. But there is very little research on the application of this kind of SVM in IDS. This paper contributes to: (1) analyzing the detectability, time consumption and stability between multi-class SVM and double-class SVM; (2) investigating the application of multi-class SVM based on decision tree in the IDS and analyzing the separating hyperplane and attack means of this kind of SVM in IDS; (3) adopting the support vector reduction to improve the training process of each crunode in the decision tree and studying the distribution of the isolated support vector; (4) testing the detectability of SVM method on the new attack and analyzing the capability of SVM to detect unknown attacks and causes.