Research On Methods Of Classifying Anomaly Attacks Based On Cost-sensitive

Because of the further development of network technology and the continuous popularization of network knowledge, human being's lifestyle and working have changed thoroughly. Network has become a symbol of modern times. Meanwhile, all kinds of threat to network security such as virus, Trojan horse, hacker attack, on-line economical crime and spam have appeared with covert launch, complex means and virulent damage. Network information security mechanism is suffering from baptism.An IDS performs passive monitoring of network or system activities and is very effective in protecting network information system. Along with the rapid development of attack technology, IDS's capability of detecting unknown attacks becomes more and more essential. At the same time, IDS must be able to efficiently adjust existing models when knowledge about unknown attacks becomes available. Traditional resolution is injecting the examples of newly discovered attacks into known attacks examples and then training new models. Although it could accomplish the adjustment of existing models, this method isn't rational because of the existing models discarded relentlessly is still useful.In order to eliminate traditional resolution's irrationality and make the most of existing models, ensembles of classifiers is adcpted. A light-weight and simple classifier is generated efficiently just for the newly discovered attacks and the existing models are retained still. When it is detected as unknown attacks by the existing model, this data will be sent to the new classifier for further classification. A leading difficulty of building ensembles of classifiers lies in making the learner discover boundaries between known and unknown classes which is the primary assignment for this thesis. ArtiAnomalyG algorithm is produced here and discussed in detail. The sparse regions of training data are amplified by executing this algorithm and the class attribute of new examples generated is assigned "anomaly". Then a new classifier is learned by adacost algorithm using amplified training sets which could discover boundaries between known and unknown classes. Several contributions of this thesis are following:Firstly, AdaCost algorithm is discussed here in detail and implemented on the platform of JBuilder9.0. Thenclass file of AdaCost algorithm is replanted to the platform of weka.Secondly, ArtiAnomalyG algorithm is produced and the method of this algorithm is discussed in detail. Also it is implemented on the platform of JBuilder9.0 and replanted to weka platform.Thirdly, the potential defect of this algorithm is that examples generated are likely to collide with known examples to some extent. Experiment is conducted to filter unavailable instances and then classifier models are learned respectively using unfiltered and filtered training sets. The main conclusion is that the performance of algorithm wouldn't be influenced significantly in despite of the existence of a little of collision.Finally, experiment is conducted to evaluate the performance of ArtiAnomalyG algorithm. The conclusion drawn from experiment result is that classifier models could detect anomaly attacks effectively in spite of spending lots of time amplifying training sets. Comparing with the loss caused by attacks because of lack of attacks' knowledge, it is very worthy of spending lots of time to amplify training sets.In a word, classifier models trained using examples amplified by ArtiAnomalyG could recognize unknown attacks. Eventually the models could not only detect various known attacks but also discover the boundaries between known and unknown attacks and the detection ability is amplified.