| At present,it is very important to effectively detect malicious attackers from attacking the host,to ensure the security of the Linux system,to improve the defense capability of the intranet and the accuracy of anomaly detection.Existing host intrusion detection methods mainly detect whether a certain behavior is abnormal,and due to the variety of attack types and less behavior data,the effect of multi-classification methods for host attack behaviors is poor,and it is difficult to achieve precise management of host security.In order to improve the classification effect of small sample attack behaviors and the detection performance of specific host intrusion behaviors,this paper conducts research from three aspects: imbalanced data classification,fine-grained classification of abnormal behaviors,and multi-classification solutions,and proposes more effective detections.Method,and realize the intrusion detection system based on the machine learning algorithm for the host.This paper uses the classic dataset ADFA-LD to evaluate the performance of the proposed method.The specific content and innovation are as follows:(1)Based on the N-Gram feature extraction method and the TF-IDF feature weighting technology,this paper aims at the problem of low detection performance caused by the imbalance of host intrusion detection data in reality.The SMOTE algorithm is used to balance the training samples.The experiment shows that it is different from the existing Compared with the two classification methods,the detection performance of this paper based on RF,SVM and KNN models has a certain improvement.(2)The existing host intrusion detection methods generally only carry out two classifications.However,there are few researchers on specific types of intrusion behavior detection such as Adduser,Hydra_FTP,Hydra_SSH,Java_Meterpreter,Meterpreter,and Webshell,and the existing work has the problem of low detection performance.Hence,we propose a multi-category detection division method and combine with this method to build a multi-level attack behavior detection model.(3)Based on the multi-fold cross-validation method,the classification effects of direct multi-classification 、 first two-class classification and then direct multi-classificationand hierarchical multi-class classification are analyzed and compared.Experiments show that the average accuracy and stability of the proposed hierarchical multi-classification method in cross-validation are higher than the other two schemes,and it can detect Hydra_SSH,Webshell,Java_Meterpreter and Meterpreter attack types more effectively.(4)This thesis designs and implements a Web system for host intrusion detection,which effectively integrates the above three multi-class detection methods,and users can choose appropriate detection algorithms according to actual needs.At the same time,this paper analyzes the method of linkage between Java and Python and provides three ideas for deploying the machine learning model to the Java system. |