Research On Key Techniques Of Network Intrusion Detection

While the network brings convenience to people, its own fragility offers intrusion opportunities for hackers and malicious attackers. Along with the diversity and complexity of intrusion attack, high performance intrusion detection techniques are required, and so the study of on-line detection, adaptive detection and multiclass detection techniques becomes current hotspot. To improve the performance of multiclass intrusion detection system, this dissertation focuses on the study of multiclass intrusion detection methods against the characteristics of the easy classification, easy mixed, imbalanced and new unknown types of attacks, and proposes an adaptive multiclass intrusion detection ensemble model.The main innovative solutions are as follows:1) To achieve high performance multiclass intrusion detection, the hierarchical clustering based on principal direction divisive partitioning is applied in intrusion detection. The principal direction is found by using the theory of matrix singular value decomposition, by which to split the training set into two subsets and then split subsets similarly, until every subset needs not split, As a result, we obtain the intrusion detection model based on the principal direction divisive partitioning clustering. During modeling and detecting, the method is fast because only the biggest singular value and the corresponding singular vectors are needed to compute while finding the principal direction. Our method is neither affected by the initial values nor sensitive to the input order. Note that the similarity measure is not needed when clustering, which avoids its influence to the performance of the detector.2) For the low detection accuracy for easy mixed attacks, an intrusion detection model based on the projection pursuit direction divisive partitioning clustering is proposed. The optimal projection direction for the training set is automatically found by the optimization algorithm. The found projection direction can make the easy mixed connections apart from the others as clearly as possible. The basic detection model in the paper improves the detection accuracy for the easy mixed attacks. Also a parallel detection model based on the basic detection model is established to improve the detection accuracy further. 3) To solve the problem of the lower rate for small class detection caused by the imbalance among the numbers of different classes of the high dimensional network connection records, a feature extraction algorithm based on weighted non-negative matrix decomposition is proposed and an intrusion detection model is established by combining the rival penalized competitive learning neural network. Feature extraction based on weighted non-negative matrix decomposition strengthens the features of the small classes and then makes the boundaries of the classifications clearer, so it improves the detection accuracy of the small class significantly.4) To recognize new unknown type of attacks adaptively, adaptive resonance theory is applied in intrusion detection to establish an online adaptive intrusion detection model based on ART2neural network. The model is structured in two levels and can detect and learn in a dynamic environment on a real-time basis. The model can learn quickly but not need to learn the same input pattern repeatedly. The model recognizes normal connections and known type of attacks by using the first level detector, and also learns new intrusion patterns and detects new unknown types of attacks by using the second level detector.5) To improve the overall detection accuracy and efficiency of intrusion detection system further, various ensemble structures of classifiers are studied. Combining the advantages of different detectors detecting different attack types, an intrusion detection ensemble model with the three levels of hybrid structures is proposed. The first level detector based on the principal direction divisive partitioning clustering detects the easy classification attacks. The second level detector based on the feature extraction of the weighted non-negative matrix decomposition and the projection pursuit direction divisive partitioning clustering detects the easy mixed and the imbalanced types of attacks. The third level detector based on the ART2neural network recognizes the new unknown types of attacks. This ensemble model develops every single detector’s advantages, is able to detect the easy classification attacks quickly, and improves the detection accuracy of the easy mixed and small class of attacks.It can detect new unknown types of attacks and learn their profiles adaptively. So the model in paper has a better overall performance.