Research And Implementation Of Intrusion Detection Alarm Aggregation Method Based On Machine Learning

With the rapid development of today's information technology industry,network security plays a more and more important role in people's life.Intrusion detection technology,as an expansion of traditional security defense technology,has gradually entered people's vision.However,the massive and high-dimensional large data sets make the detection efficiency and accuracy of intrusion detection systems significantly lower.Therefore,machine learning related methods are also used by more network security researchers in intrusion detection systems for alarm reduction.In this paper,based on the related machine learning methods,an intrusion detection alarm aggregation method is proposed from the two aspects of feature selection and alarm reduction.The aggregation process includes three decisive steps:selecting the important features of intrusion detection,determining the weight of features and alarm aggregation based on the similarity of attributes.The main research contents and innovations of this paper are as follows:Firstly,this paper proposes a hybrid feature selection method based on mutual information and TCM-KNN classification algorithm.The improved mutual information feature selection is used to filter the original features.On this basis,the obtained feature subset is used as the initial feature set of subsequent embedded methods.Finally,based on the classification effect of TCM-KNN algorithm,a search method combining forward selection and backward deletion is adopted to optimize the feature subset to reduce the redundancy among selected features.The experimental results on the intrusion detection data set show that the average detection rate of the feature subset obtained by the algorithm can reach about 98%on the subsequent classification algorithm,and the detection time can be reduced to some extent,which improves the intrusion detection performance.Secondly,aiming at the redundancy and repetition of alarm information in network security equipment,especially in intrusion detection system,an alarm aggregation method based on attribute similarity is proposed.First of all,a method combining conditional rough entropy and knowledge granularity is proposed to determine the feature weight.This method can determine different important attribute weights for different types of attacks,and the similarity value of two alerts can be calculated according to the result of attribute weight.Then,the proposed method of dynamic updating of time interval threshold is used to aggregate the alarms whose similarity is greater than the threshold,so as to reduce redundant useless alarms.Experimental results show that the average alarm aggregation rate of this method is about 94.87%,which can effectively remove redundant alarms on the premise of reducing information loss,improve data processing efficiency,and provide accurate and concise data for the next stage of alarm analysis.In this paper,the alarm data are reduced from two aspects of feature dimension and data volume respectively.The experimental results on open data sets show that the method in this paper can improve the performance of intrusion detection system to some extent,and effectively eliminate redundant and repeated alarms.Based on this,the network security administrator can detect the hidden intrusion behavior and its intention from the massive and chaotic warning data in real time and efficiently,and then take protective measures to ensure the network security.