The Research Of An Abnormal Intrusion Detection Algorithm Based On Incremental SVM

With the rapid development of computer hardware and software, the number ofapplications of computer network is increasing all the time. While enjoying theInternet with all kinds of facilities, people are facing a more serious threat of networkintrusion. Today hacker tools can be found easily in the Internet, leading to moreintrusion behaviors. Statistics data shows that each year the number of incidents ofnetwork intrusion grows exponentially. Meanwhile, network intrusion showed thediversity, intelligence and covert, which makes traditional static defense such asantivirus software, firewalls and other technology cannot keep the security of thenetwork. By proactive analyzing the network data stream, Intrusion Detection Systemcan protect the network on a deeper level, which becomes an important part ofnetwork security. Using its internal knowledge base to compare network flow withknown intrusion，Misuse Intrusion Detection System can detecting intrusion veryefficiently. The shortcoming of Misuse Intrusion Detection is it’s unaware of theintrusion which is not in the knowledge base. Anomaly Intrusion Detection Systemestablishes a contour of the normal behavior of a system, and considers the deviationof the behavior to detect with normal behavior. In such way, it can predict thebehavior is normal or not and the invasion of new species can be found.Anomaly Intrusion Detection is essentially a classification problem, which makesintrusions and normal behavior apart. Classification (pattern recognition) problem inmachine learning, optimization and other fields has been studied a lot. Support VectorMachine is a learning method, which can control its generalization (Promotion) withthe theory of VC dimension, giving a good learning accuracy even on a small sampledata. Being different from the traditional machine learning method, support vectormachine is less affected by the data dimension, which makes it suitable for theclassification of high dimensional data sets. Incremental Learning method is to deal with the following situation encountered inmachine learning: The first scenario is when the data is generated over time; thesecond case is when the data sets are too big to put into memory for processing. Bothcases can’t be complete with one-time training; Incremental Learning is a learningmethod with new samples added in the learning process. Incremental learning methodonly needs to save a part of history, thus not only reducing the memory usage, but alsoincreasing the training speed.Due to its expected risk control, Support Vector Machine (SVM) whose learningresult depends on a small part in the sample support vector is very suitable forincremental learning. In the learning process, not only a small part of history dataneed to be saved, but also we can add only a part from the new sample set. Throughthe maximization interval to get the optimal boundary the support vector machine hasa very prominent geometric characteristics. The support vectors are unlikely near thecenter of each class. So we can leave out distance which is close to the center of thesame sample point’s class, so as to improve the training speed of support vectormachine. At the same time, to reduce the data about the new samples. A kind ofeffective method is to use KTT conditions to test new data, keep the data against KTTconditions. This method retained the increment data of the most useful informationdata, and has good effect in practice.Based on the above facts, this paper presents the anomaly intrusion detectionalgorithm based on SVM Incremental Learning. The algorithm uses the algorithm ofthe hyper spherical to deleting insignificant historical data, and broad KTT conditionsto select new useful samples, thus greatly reducing the amount of data need to beaddressed by the support vector machine. To some extent, this method improves theefficiency of the intrusion detection system. The Hyper Spherical algorithm firstcompute the average of each class of sample points, and then create a super ball withthe average point of sample points as the center of sphere, and the maximum distancebetween the sample points and sphere’s center as its radius. Then remove samplepoints around the center of the sphere by selecting specific parameters. This method isbased on the assumption: support vectors are most unlikely near the cluster centers. On the other side, studies have shown that only new sample points which violate thegeneralized KTT condition can possibly change the decision function of the originaldata set. We use this rule to delete useless samples in the incremental data, makingeach sample points added can contribute to the learning process. In the end of thearticle, we do an experiment implementing the intrusion detection algorithm based onincremental support vector machines, with the standard support vector machine andKTT algorithm in comparison. Experimental result shows that the algorithm can get aclose accuracy, and the training time and testing time can be greatly reduced, so as toprove the validity of the proposed algorithm.