Cooperative Intrusion Detection System Based On Sparse Representation

With the rapid development of computer networks, the security of network draws more and more attention of people. Especially, it faces the challenges such as large-scale and high-speed data streams, online learning and how to reduce or eliminate the impact of noise data. Intrusion detection essentially can be viewed as a classification problem, all of the network behavior can be divided into two categories:normal behavior and abnormal behavior, such intrusion detection problem can be transformed into a pattern recognition problem. The key to solve this problem is the pattern extraction and the establishment of classification model.the theory of sparse representation has been widespread concern in recent years in image processing and other fields. Compared with using the traditional orthogonal basis to transform the signal, Sparse decomposition based on overcomplete dictionary is a new theory of signal representation. Transform the data to another space by using overcomplete dictionary, namely, sparse coding, will lead to better classification results, because the coefficients of sparse representation contain certain identification information.Sparse representation has the following advantages:rich representation capability; good robustness in unbalanced data set; can cope with large-scale data; better performance in denoising; fast detection speed and adaptive learning. This can cope with high-dimensional data and the case of lack of prior-knowledge, it can guarantee higher detection rate and lower false alarm rate, it reduces the packet loss rate and improves the performance of the Intrusion Detection System.In this paper, the following works are done:(1)We design a cooperative intrusion detection model and describe each module in detail, it is composed of data acquisition, data preprocessing, detection agent, response unit and data-carrier storage, each module can work in parallel.(2) We design a group of detection agents, they are used in detecting the attacks by the protocol of TCP/UDP/ICMP in parallel. Various agents detect the network attack behavior independently, also completes the entire examination task cooperatively. We give the model of cooperative intrusion detection agent and describe the structure of a single agent.(3) We give three learning algorithms based on Sparse Representation for constructing the agent:①It trains the dictionary for the normal class and attack class, with the theory of subspace structure, determines the class of test samples according to the error of sparse reconstruction.②Considering sparse coefficients with effective representational and discriminative power, and class information, we apply discriminative K-SVD algorithm to intrusion detection. During the training, the method optimizes the over-completed dictionary and the linear discriminitive function together.③Combine with Sparse Representation and Support Vector Machine. Moreover, strong discriminitive information within sparse coefficients makes Support Vector Machine a better performance on intrusion detection.(4) We give the method for solving the problem of streamlining the training data and incremental learning. In respect of training the model, the scale of the data set may be very large and may has some noise. In order to guarantee that the examination work is stable and avoid the interference from the noise, it is necessary to face the problem of streamlining the training data and incremental learning. This paper analyzes these issues and solutions are provided.(5) Simulation experiments are done by using KDD Cup 1999 data set. And experimental results show that this method can improve the performance of the intrusion detection in many aspects.