Intrusion Detection Technology Research Based On Positive-unlabeled Learning

Intrusion detection system is an important way to maintain network security.By analyzing the traffic logs,it can detect and block network intrusions in time.In intrusion detection,background traffic includes all non-intrusive traffic.It has characteristics of large amount of data and many types of traffics.It is hard to construct a representative background traffic data set.In this paper,intrusion traffic flow is treated as positive data.Intrusion detection methods is studied based on Positive-unlabeled learning.It can avoid constructing background traffic data sets and make the intrusion detection system have better generalization performance.In the process of building an intrusion detection system based on Positive-unlabeled learning,research is mainly carried out from the following three aspects:1)A feature-weighted OCSVM model is studied for background traffic filtering.It is directed against the characteristic that background traffic have a large amout of data in intrusion detection.In this paper,the principle of OCSVM feature weighting is analyzed firstly;Then,the key feature recognition method in Positive-unlabeled learning is studied.It is pointed out that the key features can be identified through the difference in the distribution of positive data and negative data;Finally,a feature importance calculation method of Positive-unlabeled learning was proposed.The feature importance is used as the feature weight to weight the OCSVM model.2)Research on class priori estimation.The class prior is defined as the proportion of positive samples in the unlabeled data set.It is a necessary condition for Positive-unlabeled learning based on neural networks.In this paper,the principle of class prior estimation is analyzed.The partial matching KL-KDE algorithm and the OCSVM-c E algorithm are proposed.Finaly,the estimation accuracy and operating efficiency of the two algorithms are analyzed by experiment.3)For the problem of data imbalance in intrusion detection,a solution of the nn PU model under the problem of data imbalance is studied.Data imbalance will cause its risk estimator to be dominated by the error of unlabeled data in nn PU model,which makes the model's ability to identify positive samples weak.In this paper,the dynamic weight of Focal loss is used to balance the small class prior.Then a FL-nn PU model is proposed.The FL-nn PU model is compared with the binary classification model,and the performance of the FL-nn PU model is discussed.Finally,an intrusion detection system based on Positive-unlabeled learning is designed and implemented based on the above research.The system is tested by real traffic flow.The intrusion traffic flow is collected by simulating network intrusion and process packet capture.The background traffic is obtained through switch port mirroring.Test results show that the system can effectively filter background traffic and estimate class prior.Then,it can complete intrusion detection through training a Fl-nn PU model.The detection precision rate reach 90% and the recall rate reach 95%.