The Application Of Ensemble Learning In Network Intrusion Detection

Intrusion detection,as the second protection behind the firewall,is based on bypass monitoring,which collects data and information in the network and analyzes them without affecting the normal operation of the current network environment.Detect any unusual behavior or attack that violates the security policy and respond timely.Thus can guarantee the information security effectivelyIn fact,due to the extremely uneven distribution of various types of attack samples in the network intrusion detection data,the proportion of a small number of class samples(U2R,R2L)and a large number of class samples may vary greatly.As a result,the traditional single classification model is not ideal for the detection of a few class samples.In order to solve this problem,people tried to adopt the method of integration of learning,will more than a single classification model according to some combination strategy,by combining these assumptions function,can extend the final used to represent a function space,so as to make the result of integration to the real unknown hypothesis form a more accurate approximation.Therefore,in order to achieve better integration effect,most of the existing literature preprocesses the data set uniformly and then selects the basic classification model for integration without considering each model separately.However,because the final classification result of ensemble learning depends on the performance of the basic classification model to a large extent,the pretreatment methods for each model to reach the performance peak may be different.Therefore,this paper tries to optimize each classification model independently,and selects the classification model with better performance to join the integration framework.Simulation results show that,after independent optimization,a more ideal integration effect can be achieved.Unknown attack refers to those attack types that do not exist in the training set and have not been detected and recognized,which are easily misjudged as existing attack types by a single classification model.In the existing literature,anomaly detection is often used to detect the unknown type of attacks.Traditional tag based misuse detection is often used to solve the detection problem of known attack types.However,in reality,it is often necessary to combine the two problems.It is not only necessary to identify the known type of attack,but also to accurately locate the unknown type of attack.Because of the anomaly detection based on unsupervised method,unable to return to the exact output label,this paper tries to from the perspective of supervised learning,through the study of integration,the multiple classification for binary classification,simulation study of the problem,find build integration model in able to identify,on the basis of existing attack type,with the capability to detect unknown attacks.