Algorithm Of Multi-category SVM Incremental Learning In Applciation Of Intrusion Detection

Intrusion detection can discover attacks when they happened, find out where attacks came from, then monitor and give information about how to handle attacks. Techniques usually used by intrusion detection are statistical method, Bayesian networks, neural network, immune method and machine learning and so on. Recent years, machine learning achieved good development in the area of intrusion detection because of the good performance of it. And now, SVM is a popular machine learning method, it is based on the statistical theory and principle of structural risk minimization. SVM has not only good performance but also can do the best balance between the complexity and learning ability of model. This paper mainly studies algorithm based on SVM which is fit for intrusion detection and applies it to the area of it.Actually, the nature of intrusion detection is the problem of multi-category classification due to the requirement of response strategy. Therefore, intrusion detection system should not only have the capability to distinguish between normal and abnormal data, but also able to distinguish different types of invasive ways. In addition, intrusion detection should use the method of incremental learning due to invasive ways which are keep changing all the time in real network environment, Incremental learning can learn them in time and reduce the amount of learning task each time. However, the traditional SVM is proposed for the binary-category classification problem. Usually the solution of multi-category classification is decomposition and combination. But the speed of SVM learning will be quite slow duo to the scale of the data on the network environment. This article analyzed characteristics of the distribution of SV:SV always distributes on the area of edge of the sample set, and the distance from it to it's own center is normally quite far. This characteristic is more obvious in the case of multi-category SVM. According to this, this article proposed a new multi-category classification algorithm based on SVM—M-SVM algorithm. This algorithm try to find the approximate minimum sample set which includes samples most likely to be SV, and uses this set to replace original training set for decreasing the computational complexity. To increase the detection performance, the algorithm uses the decision function of SVM and clustering method together when forecasting. To find samples distribute on the edge, M-SVM uses the distance from samples to their own center of each class to measure the distribution of samples, and selects samples which are far from their centers as the approximate minimum sample set. Centers and distances are all computed in the high-dimension space mapped by kernel function. Analyzed the incremental learning method based on SVM which used the KKT condition in detail, according to the features of multi-category classification and incremental learning, proposed two drawbacks of this method:samples are selected duplicate and computation is complicate, the adding of new categories in incremental learning makes the performance of classifiers decreased. To solve these problems both, this article extended M-SVM algorithm to incremental learning area, proposed a new incremental learning method MI-SVM which is fit to multi-category. It uses the same method to select samples, but needs to compute centers and distances again and reselects samples that will take part in training during incremental learning. MI-SVM algorithm is figured out for the features of multi-category and incremental learning of network intrusion detection, it can effectively avoid the problem above, reduce training complexity and improve accuracy at the same time.For the algorithms of MI-SVM, This article has done simulation experience on KDD99 which is the standard intrusion detection dataset. The experience firstly analyzed the relationship of SV and training set, according to the result to determine the value of Sn. And then analyzed the performance of algorithms from the aspect of learning accuracy, fault alarm rate and detection rate. The results showed that MI-SVM can find the right set which most likely contains SV, reduce the scale of the training set, save the training time and maintain a good performance at the same time.