Research And Application Of Distributed Ensemble Learning In Intrusion Detection

With the rapid development of Internet, network security has been the importantissue which needs to be solved in the world. As one of the important methods toprotect the information security, the IDS(Intrusion Detection System)gets the wideattention. Most of the early security tools use the static defense strategy, such asencryption and decryption, firewall, safe router and so on. Static defense is a passivestrategy, it can neither trace the source of intrusion nor forecast the occurrence ofintrusion. In recent years, the static defense can hardly detect the complex andmulti-step attack on account of the improvement of hacker technology and attacktools. The IDS use the positive defense as the detect strategy. It can make up for thedeficiency of the single passive defense technique, effectively detect the intrusivebehaviors and immediately make a response to reduce the losses caused by theintrusion.At present, there are two commonly used intrusion detection methods: misusedetection and anomaly detection. Misuse detection which is often called detectionbased on features, identifies intrusions by matching observed event flow withpredefined descriptions of intrusive behavior. Anomaly detection identifies intrusionaccording to the deviation between current user behaviors and normal behaviors. Inaddition, some researchers propose an IDS baesd on the combination of the twodetection methods, which use the misuse detection to identify the known behaviorsand discover the new behaviors by the anomaly detection.However, no matter the IDS based on either misuse detection or anomalydetection, two aspects should be improved by themselves: one is the promotion ofIDS’s comprehensive performance; the other is the ability of analyzing large-scaledata, which help the IDS use the acquisitive knowledge to identify the complicatedattack. The researches of this paper are reflected in the previous aspects, and wepresent a hybrid intrusion detection model, namely KDIDM.In order to improve the detection performance of IDS, KDIDM use the featureextraction to handle the input data. Feature extraction is a effective data preprocessingtechnique, which can remove the redundant information from the raw data, and extract the important and hidden features for conveniently analyzing. Kernel PrincipleComponent Analysis(KPCA) and Kernel Independent Component Analysis(KICA)are two feature extraction methods of computational intelligence. The detection resultof IDS based on KPCA is different from the IDS based on KICA. The IDS based onKPCA gets the low false positive rate, the high accuracy and false negative rate; onthe contrary, the IDS based on KICA gets the high false positive rate, the lowaccuracy and false negative rate. According to the characteristics of the two featureextraction approaches, this paper proposes a novel algorithm to integrate theextracting results by the KPCA and KICA. Firstly, the algorithm constructs twofeature extractors, one is based on KPCA, and the other is based on KICA. Secondly,the algorithm uses the two extractors to preprocess the raw data. Finally, the algorithmuses simple weighting ensemble learning approach to merge the results of KPCA andKICA, and then make the integrated result as the input of detection analysis, whichestablish a solid foundation for improving the system performance.So as to let the KDIDM run in the best state as soon as possible, this paperpresents an adaptive feedback algorithm. At the initial state of the KDIDM, the systemperformance may be not very well, but it can adjust the ensemble learning weights ofKPCA and KICA by adaptive feedback algorithm. At last, the system gets the bestdetection results. What’s more, this feedback algorithm doesn’t increase too muchtime consumption，so the system performance will not cut down caused by theweighting adjustments.This paper adopts the distributed neural network based on Hebb rule to analysethe large-scale data. The network uses the acquisitive knowledge learned from thedistributed ensemble learning results of KPCA and KICA to find the intrusionswhether take place or not.The experiments of this paper adopt the popular KDD’99data sets. Comparedwith other existing IDS, the KDIDM gets not only the high accuracy but also lowfalse negative rate and false positive rate. Therefore, the KDIDM is a more effectivemethod to identify intrusions.This paper uses four attack patterns to test the performance of KDIDM onlinedetection. As a result the KDIDM gets the well online detection performance, especially the detection of SYN Flooding attack is very excellent.