基于数据降维和支持向量机的网络入侵检测

发布时间：2018-05-05 13:00

本文选题：非线性投影寻踪 + 支持向量机　；参考：《山东大学》2015年硕士论文

【摘要】：网络安全监测是计算机安全的保障,入侵检测技术是针对计算机安全问题而设计的一种及时发现并识别入侵行为的技术,是用于检测某种行为是否违反网络安全策略的技术。应用入侵检测系统我们能够在危害发生前及时的发现,并进行响应报警,从而限制了某些行为的发生,减少入侵攻击造成的损失,并在入侵攻击后,及时的留取攻击行为相关信息,作为监测模型的原始数据信息,添加入学习库中,用于检测以后的入侵行为,增强系统整体的防范作用。根据网络检测数据分析方式,网络入侵检测可分为基于主机的入侵检测系统和基于网络的入侵检测系统。针对现有入侵检测系统的泛化能力低和处理大数据耗时长的问题,本文在基于支持向量机的网络入侵检测系统的基础上,提出了能够有效解决上述问题的方法,在主成分分析的基础上提出了相似属性主成分分析方法,在投影寻踪的基础上提出了非线性投影寻踪方法,并将这两种方法分别与支持向量机方法相结合给出了两个入侵检测系统,分别是基于相似属性主成分分析和支持向量机的网络入侵检测系统与基于非线性投影寻踪与支持向量机的网络入侵检测系统。由于现实中大部分数据均含有噪音,这就对入侵检测系统的检测正确率产生了一定的影响,本文从压缩感知理论出发介绍了矩阵低秩重构技术,该技术一般用于解决低秩矩阵恢复问题,该方法首先从传统的主成分分析方法出发,运用高等代数的知识将问题转化为约束优化问题,并运用加速邻近梯度算法实现了对该问题的求解。本文将矩阵重构技术用于入侵检测,提出了基于矩阵低秩重构降维和支持向量机的网络入侵检测系统。对于网络入侵检测问题,模型设计及建立的优劣,最终还要通过对实际数据的检测情况来确认,构建入侵检测系统的核心是如何准确的判断某个行为是入侵行为还是正常行为,网络数据连接是入侵检测的重要数据来源,针对入侵检测问题关键在于数据的处理,通过对数据的分析来判断用户行为。本文采用著名的KDD99数据集作为仿真实验的数据,该数据包含大量正常的数据行为和异常的攻击行为,并且该数据取自美国空军模拟的网络局域网下,因此足以描述一个真实的网络环境。实证分析作为检测系统实用性的一个重要手段,本文在现有的入侵检测系统基础上,提出了基于相似属性主成分分析和支持向量机的网络入侵检测系统与基于非线性投影寻踪与支持向量机的网络入侵检测。并将矩阵低秩重构技术用于入侵检测,提出了基于矩阵重构和支持向量机的网络入侵检测技术。通过采用KDD99数据集进行了实证分析,结果显示,新提出的入侵检测系统有更强的泛化能力和检测正确率,并且整个过程的检测时间得到了大大提高。
[Abstract]:Network security monitoring is the guarantee of computer security. Intrusion detection technology is a kind of technology designed to detect and identify intrusion behavior in time for computer security problems. It is used to detect whether a certain behavior violates network security policy. By using the intrusion detection system, we can detect the damage in time and respond to the alarm, which limits the occurrence of some behavior, reduces the loss caused by the intrusion attack, and after the intrusion attack, As the original data of the monitoring model, it can be added to the learning library to detect the intrusion behavior in the future and enhance the whole system's preventive effect. The information about the attack behavior is kept in time, and the information is added to the learning library as the original data information of the monitoring model. According to the analysis of network detection data, network intrusion detection can be divided into host-based intrusion detection system and network-based intrusion detection system. In view of the low generalization ability of the existing intrusion detection system and the long time taken to deal with big data, this paper puts forward an effective method to solve the above problems based on the support vector machine based network intrusion detection system. On the basis of principal component analysis, a similar attribute principal component analysis method is proposed, and a nonlinear projection pursuit method is proposed on the basis of projection pursuit. Two intrusion detection systems are presented by combining these two methods with support vector machine (SVM). It is a network intrusion detection system based on similar attribute principal component analysis and support vector machine and a network intrusion detection system based on nonlinear projection pursuit and support vector machine respectively. Because most of the data in reality contain noise, this has a certain influence on the detection accuracy of intrusion detection system. This paper introduces the low rank matrix reconstruction technology based on the theory of compression perception. This technique is generally used to solve the low rank matrix restoration problem. Firstly, the method uses the knowledge of higher algebra to transform the problem into a constrained optimization problem based on the traditional principal component analysis (PCA) method. An accelerated neighborhood gradient algorithm is used to solve the problem. This paper presents a network intrusion detection system based on matrix low rank reconstruction and support vector machine. For the problem of network intrusion detection, the merits and demerits of model design and establishment should be confirmed through the detection of actual data. The core of constructing intrusion detection system is how to accurately judge whether a certain behavior is an intrusion behavior or a normal behavior. Network data connection is an important data source for intrusion detection. The key problem of intrusion detection lies in the processing of data, and the user behavior is judged by analyzing the data. In this paper, the famous KDD99 dataset is used as the data of the simulation experiment, which contains a large number of normal data behavior and abnormal attack behavior, and the data is taken from the simulated network LAN of the US Air Force. So it is enough to describe a real network environment. Empirical analysis as an important means of detection system practicability, this paper based on the existing intrusion detection system, A network intrusion detection system based on similar attribute principal component analysis and support vector machine and a network intrusion detection system based on nonlinear projection pursuit and support vector machine are proposed. The low rank matrix reconstruction technique is applied to intrusion detection, and the network intrusion detection technology based on matrix reconstruction and support vector machine is proposed. The results show that the proposed intrusion detection system has stronger generalization ability and detection accuracy, and the detection time of the whole process has been greatly improved.
【学位授予单位】：山东大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【参考文献】