| Distributed Intrusion Detection Technology is an effective method of detecting large-scale network intrusion. Neural network has the characteristics of large-scale parallel processing and information distributed storage. It is commonly used in Intrusion Detection Systems. In view of high learning precision but relatively low efficiency of modular neural network, the paper made a research into SOM-based distributed intrusion detection algorithm using neural networks, cluster analysis and the mechanism of distributed integration learning.SOM-based distributed intrusion detection model is of two-tier structure. The lower is leaf nodes. These nodes are responsible for training samples (samples of normal behavior) in the stage of junior learning and then lay the foundation for further learning. The top is a central node. First, the node collects training results from each child node; next, merge them into input samples of integrated learning; and then, use integrated learning algorithm to integrate the knowledge of each child node into overall knowledge, and create rule base of normal behavior; finally, establish anomaly-based intrusion detection model.From the research of neural networks, the paper chose Self-organizing mapping as the algorithm of junior learning stage. SOM which is an unsupervised algorithm can accomplish feature mapping from input space adaptively and then achieve the preliminary study of input samples. After analyzing the advantages and disadvantages of various neighborhood functions used in SOM, the paper proposed a new neighborhood function which is simple calculation and maintains the characteristics of biological systems as much as possible. Finally, adopted the new neighborhood function to SOM and then DSOM algorithm was proposed.SOM has the features of self-adaptation and self-learning. The paper adopted SOM into the stage of integrated learning as the integrated algorithm of the central node. The first step of integration learning is to collect training results from each leaf node. The second is to merge these training results which are actually the weight vector of winner neurons into input samples of integrated learning algorithm. The third is to use SOM integrated learning algorithm to train the input samples and then create rule base of normal behavior. Finally, establish an anomaly-based SOM-DSOM detection intrusion detection model.SOM has some shortcomings such as parameter selection contributes greatly to the convergence of the network; detection accuracy is not satisfactory and long training time. The paper had researched into the method of cluster analysis and compared K-means method with Fuzzy C-means (FCM) method. FCM classifies samples according to the membership function. It was adopted into the stage of integrated learning because of its feature of fuzzy. In the end. a model of anomaly-based FCM-DSOM detection intrusion detection was established.Finally, the proposed algorithm was applied to intrusion detection. The paper illuminated the performance and effectiveness of the algorithms through experiment on intrusion detection data set KDDCUP1999. Comparing with centralized intrusion detection algorithm, the proposed algorithm is able to achieve the overall detection accuracy and the test results are superior to centralize algorithm. The paper also analyzed the impact of the number of nodes and the values of parameters to the performance of the algorithm through experiment. |
PDF Full Text Request