Research On Intrusion Prevention System Based On Attribute Reduction And Semi-supervised Learning

With the rapid development of network technology and applications, network securityissues have become prominent increasingly. Traditional firewall technology and intrusiondetection system has been unable to meet the requirement of the network security problem.So, intrusion prevention system (IPS) come into being. IPS can not only detect the invasionbehavior, but also prevent the spread of the intrusion through the real-time responsestrategies. Intrusion detection algorithm and the active defense strategy are the two mainaspects of the intrusion prevention technology, with analyzing the shortage of firewalls andintrusion detection systems, a new attribute reduction algorithm and a new detectionalgorithm are proposed in this paper, and combined with the alarm information correlationmethod, a new intrusion prevention system is constructed which based on attribute reductionand semi-supervised learning.Traditional intrusion detection algorithm mainly based on supervised learning,supervised learning algorithm has a high detection efficiency, but it must execute on a largenumber of labeled pure data, and it is infeasible to mark the network data correctly inpractice.The introduction of unsupervised learning methods to intrusion detection canreduce the requirements of the training data, but it has a high rate of false positives. Therefor,the semi-supervised learning algorithm is proposed in this paper which combined with asmall amount of labeled data and a large number of unlabeled data to improve the detectionaccuracy. This algorithm combined with the result of attribute reduction and thecollaborative training(co-training) algorithm, use the large number of unlabeled data toimprove the detection performance of the main classifier gradually. Simulation experimentsin KDDCUP99datasets show that the algorithm can not only improve the detectionperformance of the classifier, and also has a good stability.A new attribute reduction algorithm is proposed in this paper which combined withrough sets theory and quantum particle swarm optimization (QPSO), so the detectionmodule can run in a small amount of labeled data. Through setting an appropriate threshold,the algorithm can complete attribute reduction in a small number of labeled data, and thecomparative experiments validate the effect of the reduction. So, the entire detection modulecan be run in a small number of labeled data smoothly combined with the semi-supervisedlearning detection algorithm. Therefore, the detection module can not only reduce the algorithm running time, tolerate more general training data sets and also has a higherdetection performance, which make the algorithm applied more widely.According to the problems of redundant alarm information, repeating alarms and falsepositives, a alarm information correlation method is given in this paper. Find the causalrelationship between alarm information with analyzing their basic characteristics can notonly eliminate the redundant of alarm information and also classify the alarm information,thereby enhancing the defense module’s pertinence, initiative and decreasing the number ofrepeat alarm, false positives and reducing the workload of the staff.Based on the analysis of the various functions of the IPS module, a four-layer intrusionprevention system model is established in this paper including data interface layer, intrusiondetection layer, defense layer and management layer. With analyzing the execution flow ofthe algorithm and their relationship, a new intrusion prevention systems is formed whichcombined with the attribute reduction and semi-supervised learning, and the effectiveness ofthe core algorithm is verified through experiments on KDDCUP99standard datasets.