Intrusion Detection Of Cascaded Classifier Based On Re-sampling

With the rapid development of information technology and the popularity of the Internet,the Internet has become an important role inpeople's work and life.At the same time,the malicious information theft,personal attacks and illegal profiteering behavior is also a substantial increase.The network security issues become increasingly prominent,the importance of network security ressearch is highlighted.Intrusion detection is a hot topic in the field of network security.It is a process of detecting the violation of safe use in computer network and system.With the development of information technology,the complexity of various types ofcomputer systems has also showed exponential growth,which makes the intrusion detection extremely difficultly.Based on the research of network intrusion detection method,this paper finds that the commonly used intrusion detection method is mainly focused on improving the overall detection rate,but neglects the detection rate of some important categories,such as R2L(unauthorized access from a remote machine to a local machine)and U2R(unauthorized access to local superuser privileges by a local unpivileged user)two types of attack behavior detection rate is low,however,these two kinds of attacks can easily cause a serious threat after the success invasion of the server,therefore,it is urgent to improve its detection performance.Firstly,for the current common detection methods,this paper analyzes the causes of low detection rate of R2 L and U2 R attacks,there are two main reasons: The first reason is that data distribution is uneven,resulting in classification skew,which is an imbalance classification problem(ie,the data distribution in the training set is extremely unbalanced,the number of samples of a class or some class is much larger or smaller than other categories);The second one is that it is difficult to distinguish the two attacks from the header of the packet,and it needs the details of the data packets.Through the analysis and research of common intrusion detection methods,it is found that they all use the same method to detect all kinds,so it is difficult to achieve the desired effect,and cascade multiple classifiers to do different types of classification can effectively solve the problem of data distribution imbalance in the intrusion detection.Intrusion detection is a typical problem of unbalanced classification.In this paper,we study the unbalanced classification methods such as resampling.In view of SMOTE's problem of noise and boundary data in the process of re-sampling the intrusion detection data set,introducing the NCL(Neighborhood Cleaner)filter method;proposed an improved and optimized resampling method SMOTE-NCL for filtering out noise and boundary data.Due to the advantages of the cascaded classifier method in solving the problem of unbalanced classification and the good effect in intrusion detection,this paper uses cascaded classifier for intrusion detection.However,considering the problem of the higher feature dimension of the intrusion detection data set on the detection performance,this paper introduces the feature selection method CGFR of cascaded GFR(gradually feature removal),CGFR selects feature subset for the cascaded classifier.Then,CGFR and SMOTE-NCL are applied to the cascaded classifier.On this basis,a cascaded classifier intrusion detection model based on resampling is proposed to solve the problem of two kinds of attack detection in R2 L and U2 R.According to the theoretical analysis experiment,the classification methods in the cascaded classifier selected in this paper are decision tree algorithm(C4.5)and naive Bayesian(NB).The first classifier of the model cascaded is used to train Do S(denial of service attacks),Probe(surveillance and probing)and Normal(normal data);the second classifier is used to train the Normal,R2 L and U2 R classes.In the detection process,the test set first entered the first classifier is classified by the classifier into the normal data into the second classifier classification,and ultimately to complete classification of Do S,Probe,Normal,R2 L and U2 R.In this paper,it firstly compares the classification effect of various feature selection methods and CGER selected feature subsets on cascaded classifiers.then compares the results of classification using the cascaded classifier based on the data sets of the not re-sampled,SMOTE different sampling rates and SMOTE-NCL resampling;finally,it compares the results of SVM,KNN,NB,C4.5 and cascaded classifier methods on the basis of the data sets resampled by SMOTE-NCL.For U2 R and R2 L attacks,the cascaded classifier models based on CGFR and SMOTE-NCL proposed in this paper have higher AUC values than others.But for R2 L detection effect is still not ideal,it is because R2 L attack is difficult to distinguish through the header of the packet,it needs the details information of the packet to determine,most of the packet header feature is as same as Normal,so the detect results are not ideal.To further solve the problem,the author considers that parts of the features should be extracted from the contents of the packet when extracting the data,and re-generates training dataset and testing dataset,this is also the next step in this work.