Research On Network Intrusion Detection Based On Support Vector Machine Combine With K Nearest Neighbor Method

Intrusion detection, as a proactive defense, has gradually become the hotspot of information security research field in recent years. According to the process of information security level protection assessment project, we have found the detect accuracy of current intrusion system still need to be improved when it detected the main four types attacks: Dos, probing, R2 L and U2 R.The classification model based on support vector machine algorithm can’t classify the samples which near the optimal classification surface; the classification model based on k nearest neighbor algorithm is susceptible to the unbalance distribution of samples, leading to the unstable evaluated result. In order to further improve the accuracy of intrusion detection system on the basis of the original classified accuracy, the paper put forward to a intrusion detection classified model which combine support vector machine algorithm and k nearest neighbor algorithm. In the classification phase, it calculates the distance between the samples of network connection records and the optimal classification hyper plane, if the distance is longer than the default threshold, using the support vector machine algorithm to classify the connection records; otherwise, using k nearest neighbor algorithm to classify the connection records. The main work and innovation can be summarized as follows:(1) The paper proposed the classification method of combining support vector machine algorithm with k nearest neighbor algorithm in the field of intrusion detection for the first time, which according to the distribution of samples in the feature space, adopting the corresponding classification algorithm to classify the samples.(2) In order to reduce the negative influence caused by the unbalance distribution of samples when used k nearest neighbor algorithm, it employs Euclidean Distance which carries weighted factor to measure the similarity among samples.(3) In the data preprocessing stage, it normalized three types of data, including character, discrete and continuous, and converted them into a real valued between 0~1 with a unified metric.(4) It adopted the difference of the distance within class and the distance between classes to measure various features’ contribution to the classification results,selecting combination of the features which can stand for various types of attacks best.(5) It adopted RBF function as the kernel function of support vector machine; using the grid search method to look for the penalty parameter c and kernel parameter s when the classification accuracy rate reaches the maximum value. Observing the effect on the classification accuracy when the value of k is gradually increased, record the value of k when the classification accuracy reaches highest.At last, it used the network packets which collected in the information security level assessment project to test the classified model which established before, and analyzed the test result,verify the validity of the classification model.The result shows that comparing to the single method which based the support vector machine or k nearest neighbor algorithm, the method of combination support vector machine algorithm with k nearest neighbor algorithm can further improve the accuracy rate of network intrusion detection, so it is regarded as a good network intrusion detection method.