基于粗糙集属性约简的SVM异常入侵检测方法

文章提出了基于粗糙集属性约简的支持向量异常入侵检测方法。为验证该方法的有效性,对实验数据集KDD99分别用粗糙集属性约简的支持向量分类方法和传统的支持向量分类方法进行实验仿真,并把两者的实验结果进行对比。实验证明,基于粗糙集属性约简的支持向量异常入侵检测方法在检测精度相当的情况下,有效的降低了检测时间并减少了存储空间。     

基于改进的支持向量机的脱机中文签名验证

采用支持向量机算法来验证脱机中文签名。针对支持向量机算法的不足,将粗糙集和支持向量机相结合,利用粗糙集理论对数据属性进行约简,在某种程度上减少支持向量机求解的计算量。不但避免了特征提取中维数灾问题,还有效改善了训练时间。实验结果表明：粗糙集和支持向量机算法应用于离线签名识别,在相同条件下的识别效果优于支持向量机算法。     

基于相关向量机的网络入侵检测算法

针对支持向量机理论中存在的问题：训练样本数量多以及必须满足MerCer条件等,提出了一种基于相关向量机（RVM）的网络入侵检测方法。首先采用“删除特征”法对KDD99数据集中的41个特征进行评级,筛选出针对不同入侵类型的重要特征和非重要特征,然后只选择重要特征进行匹配。结果表明,这种方法与基于支持向量机（SVM）的入侵检测模型相比,具有更高的检测率和更低的误警率。     

基于QPSO的属性约简在NIDS中的应用研究

支持向量机作为一种优良的分类算法应用在网络入侵检测系统中,但是训练时间过长是它的主要缺陷.文中提出了基于量子粒子群优化的属性约简和支持向量机(SVM)的入侵检测方法,利用量子粒子群优化的属性约简算法对训练样本集进行属性约简,剔除了对入侵检测结果影响较小的冗余特征,从而使入侵检测系统在获取用户特征的时间减少,整个入侵检测系统的性能得到提高.实验结果表明,该方法是有效的.     

入侵检测中基于SVM的两级特征选择方法

针对入侵检测中的特征优化选择问题,提出基于支持向量机的两级特征选择方法。该方法将基于检测率与误报率比值的特征评测值作为特征筛选的评价指标,先采用过滤模式中的Fisher分和信息增益分别过滤噪声和无关特征,降低特征维数;再基于筛选出来的交叉特征子集,采用封装模式中的序列后向搜索算法,结合支持向量机选取最优特征子集。仿真测试结果表明,采用该方法筛选出来的特征子集具有更好的分类性能,并有效降低了系统的建模时间和测试时间。     

基于粒子群优化相关向量机的网络入侵检测

构建计算机网络的入侵检测系统,对于保护网络中的信息免受各种攻击显得非常重要.为了克服支持向量机的缺点,提出了一种基于粒子群优化相关向量机(RVM)网络入侵检测方法.相关向量机是一种建立在支持向量机上的稀疏概率模型.与支持向量机相比,它不仅具有较高检测精度,还具有较好的实时性,粒子群优化算法用于确定相关向量机的核参数.最后结合试验将提出的方法同支持向量机算法、BP神经网络进行了比较,结果表明提出的相关向量机相比于支持向量机、BP神经网络有着更高的入侵精度.     

基于粗糙集支持向量机的遥感影像分类算法研究

近年来,随着遥感技术的飞速发展,遥感影像的处理和分类已成为遥感应用研究中的一个热点,粗糙集（RS）理论和支持向量机（SVM）在信息处理和分类方面具有独特的优势,本文将粗糙集支持向量机应用于遥感影像分类,简要介绍了粗糙集理论的基本概念和支持向量机的基本原理,将粗糙集理论的属性约简作为前置系统,剔除冗余属性,把SVM分类器作为后置系统,对遥感影像进行训练和分类,实验结果表明该模型不仅提高了系统运行的速度,而且分类性能有了一定的提高,为遥感影像分类提供了一条有效途径。     

粗糙集和支持向量机在复杂电路系统诊断中的应用

为了解决复杂电路系统故障样本少、特征信息冗杂的问题,提出了一种基于粗糙集属性约简理论和支持向量机分类方法相结合的故障诊断方法.首先采用粗糙集约简故障模式库中的冗余特征属性和矛盾样本,然后提取最简故障特征模式作为支持向量机的学习样本,通过样本训练使构建的支持向量机多分类器能够快速实现故障诊断的目的.最后,通过仿真算例验证了该方法在小样本故障识别上的有效性和可行性.     

基于聚类支持向量机的入侵检测算法

针对支持向量机应用到入侵检测中训练时间长的特点,提出了一种基于聚类的支持向量机的入侵检测算法。该方法可以对训练数据进行剪枝,以靠近判别边界的聚类中心集合作为有效的训练样本集合对支持向量机进行训练,减少了样本的训练时间,提高了算法的效率。实验结果表明该方法对入侵检测是有效的。     

基于RSVM的异常入侵检测系统

首先介绍了支持向量机及Robust支持向量机的分类算法，提出了Robust支持向量机的入侵检测的模型；并利用研究入侵检测系统的MIT’s Lincoln实验室1998年收集DARPA BSM的数据集，对Robust支持向量机和普通的支持向量机的性能进行了比较。     

一种基于关联的IDS告警分析模型

针对现有入侵检测系统中存在告警量过大、误报率高的问题,运用过滤检测、相关性分析等方法,对原始告警信息进行二次处理.实验证明,该模型能有效缩减告警数量,降低误警率.同时,还能将告警结果按照危险级别进行分类统计,以图形化的方式报告给用户,从而达到预警的目的.     

新的入侵检测数据融合模型——IDSFP

以多传感器数据融合技术为基础,提出了新的入侵检测融合模型——IDSFP。其具有对多个IDS入侵检测系统的警报进行关联、聚合,产生对安全态势判断的度量,从而构成证据的特点。IDSFP应用D-S证据理论来形成对当前安全态势进行评估的信息,并动态地反馈、调整网络中各个IDS(intrusiondetectionsystem),加强对与攻击意图有关的数据的检测,进而提高IDS检测效率,降低系统的误报率和漏报率。     

Hybrid Fuzzy Adaptive Wiener Filtering with Optimization for Intrusion Detection

Intrusion detection plays a key role in detecting attacks over networks, and due to the increasing usage of Internet services, several security threats arise. Though an intrusion detection system (IDS) detects attacks efficiently, it also generates a large number of false alerts, which makes it difficult for a system administrator to identify attacks. This paper proposes automatic fuzzy rule generation combined with a Wiener filter to identify attacks. Further, to optimize the results, simplified swarm optimization is used. After training a large dataset, various fuzzy rules are generated automatically for testing, and a Wiener filter is used to filter out attacks that act as noisy data, which improves the accuracy of the detection. By combining automatic fuzzy rule generation with a Wiener filter, an IDS can handle intrusion detection more efficiently. Experimental results, which are based on collected live network data, are discussed and show that the proposed method provides a competitively high detection rate and a reduced false alarm rate in comparison with other existing machine learning techniques.     

基于混沌粒子群的IDS告警聚类算法

为了提高入侵检测系统(IDS)的告警质量,减少冗余报警,提出了一种基于混沌粒子群优化的IDS告警聚类算法。算法将混沌融入到粒子运动过程中,使粒子群在混沌与稳定之间交替运动,逐步向最优点靠近。该算法能够克服粒子群算法的早熟、局部最优等缺点,指导聚类中心寻找到全局最优解。通过理论分析与实验测试,验证了该算法在入侵检测系统中,能够大量减少告警数量,提高告警质量,具有较高的检测率和较低的误报率。     

Divided two-part adaptive intrusion detection system

The main objective of this paper is to design a more complete intrusion detection system solution. The paper presents an efficient approach for reducing the rate of alerts using divided two-part adaptive intrusion detection system (DTPAIDS). The proposed DTPAIDS has a high degree of autonomy in tracking suspicious activity and detecting positive intrusions. The proposed DTPAIDS is designed with the aim of reducing the rate of detected false positive intrusion through two achievements. The first achievement is done by implementing adaptive self-learning neural network in the proposed DTPAIDS to gives it the ability to be automatic adaptively system based on Radial Basis Functions (RBF) neural network. The second achievement is done through dividing the proposed intrusion detection system IDS into two parts. The first part is IDS₁, which is installed in the front of firewall and responsible for checking each entry user’s packet and deciding if the packet considered is an attack or not. The second is IDS₂, which is installed behind the firewall and responsible for detecting only the attacks which passed the firewall. This proposed approach for IDS exhibits a lower false alarm rate when detects novel attacks. The simulation tests are conducted using DARPA 1998 dataset. The experimental results show that the proposed DTPAIDS [1] reduce false positive rate, [2] detects intrusion occurrence sensitively and precisely, [3] accurately self–adapts diagnoser model, thus improving its detection accuracy.     

一种基于Choquet模糊积分的入侵检测警报关联方法

文章研究了警报关联方法,模糊积分和模糊认知图基本理论,提出了一种基于Choquet模糊积分的入侵检测警报关联方法,设计并实现了一个能够识别多步攻击的警报关联引擎.通过DRDOS和LLDOS实验表明,该引擎能够有效的检测网络中存在的大规模分布式多步攻击.     

An efficient approach to reduce alerts generated by multiple IDS products

Intrusion detection systems (IDSs) often trigger a huge number of unnecessary alerts. Managing the overwhelming number of alerts, especially from multiple IDS products, is a concern to every security analyst. Analyzing and evaluating these alerts is a difficult task that frustrates the effort of analysts. In fact, true alerts are usually buried under heaps of false alerts. We have identified several research gaps in the existing alert management approaches that need to be addressed, especially when handling alerts from different IDS products. In this work, we present an efficient alert management approach that reduces the unnecessary alerts produced by different IDS products using two main modules: an enhanced alert verification module that validates alerts with vulnerability assessment data; and an enhanced alert aggregator module that reduces redundant alerts and presents them in the form of meta alerts. Finally, we have carried out experiments in our test bed and recorded impressive results in terms of high accuracy and low false positive rate for multiple IDS products. Copyright © 2014 John Wiley & Sons, Ltd.     

有指导的入侵检测方法研究

基于一种用于混合属性数据的距离定义和改进的最近邻分类方法,提出了一种基于聚类的有指导的入侵检测方法。该方法首先利用一趟聚类算法对训练集进行聚类,再利用数据的标识和少数服从多数的原则将聚类标识为“正常”或“攻击”,以标识的聚类作为分类模型对数据进行分类。理论分析表明提出的检测方法关于数据集大小和属性个数具有近似线性时间复杂度。不同于一般的有指导的入侵检测方法,改进的最近邻方法从理论上保证了该方法对未知入侵有一定的检测能力。在KDDCUP99数据集上的测试结果表明,该方法有高的检测率和低的误报率。     

FuzMet: a fuzzy‐logic based alert prioritization engine for intrusion detection systems

Intrusion detection systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large, making their evaluation by security analysts a difficult task. Management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This paper considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy‐logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction in the number of alerts. Comparative results between SNORT scores and FuzMet alert prioritization onto a real attack dataset are presented, along with a simulation‐based investigation of the optimal configuration of FuzMet. The results prove the enhanced intrusion detection accuracy brought by our system. Copyright © 2011 John Wiley & Sons, Ltd.     

考虑置信度的告警因果关联的研究

一个成功的网络攻击往往由若干个处于不同阶段的入侵行为组成,较早发生的入侵行为为下一阶段的攻击做好准备。在因果关联方法中,可以利用入侵行为所需的攻击前提和造成的攻击结果,重构攻击者的攻击场景。论文引入了告警关联置信度的属性描述,用于分析因果关联结果的可信度,进而能够进一步消除虚假关联关系。通过DARPA标准数据集分析,该方法取得了较好的实验结果。