基于模糊粗糙集属性约简与GMM-LDA最优聚类簇特征学习的自适应网络入侵检测

网络入侵方式已日趋多样化,其隐蔽性强且变异性快,开发灵活度高、适应性强的实时网络安全监测系统面临严峻挑战.对此,提出一种基于模糊粗糙集属性约简(FRS-AR)和GMM-LDA最优聚类簇特征学习(GMM-LDA-OCFL)的自适应网络入侵检测(ANID)方法.首先,引入一种基于模糊粗糙集(FRS)信息增益率的属性约简(AR)方法以实现网络连接数据最优属性集选择;然后,提出一种基于GMM-LDA的最优聚类簇特征学习方法,以获得正常模式特征库和入侵模式库的最优特征表示,同时引入模式库自适应更新机制,使入侵检测模型能够适应网络环境动态变化.KDD99数据集和基于Nidsbench的网络虚拟仿真实验平台的入侵检测结果表明,所提出的ANID方法能有效适应网络环境动态变化,可实时检测出真实网络连接数据中的各种入侵行为,其性能优于当前常用的入侵检测方法,应用前景广阔.

Adaptive network intrusion detection based on fuzzy rough set-based attribute reduction and GMM-LDA-based optimal cluster feature learning

With the increasing diversity and rapid variability of network intrusion, the development of real-time network security monitoring systems with high flexibility and strong adaptability still faces severe challenges. Therefore adaptive network intrusion detection(ANID) method based on fuzzy rough set attribute reduction(FRS-AR) and Gaussian mixture model linear discriminant aualysis(GMM-LDA) optimal cluster feature learning(GMM-LDA-OCFL) is proposed. Based on the fuzzy rough set theory, the optimal attribute set of network connection data is selected automatically by information gain rate measurement. Then, an optimal cluster feature learning method based on GMM-LDA is proposed to obtain the optimal feature representation of the normal mode feature library and the intrusion mode feature library. At the same time, the adaptive on-line update mechanism of the normal(abnormal) pattern feature library is introduced, so that the detection model can adapt itself to dynamic network changes. The test results of KDD99 and network simulation experiment platform based on Nidsbench show that the proposed method can effectively adapt to the dynamic changes of the network environment and various intrusion behaviors in the real network connection data can be detected in real time. And the performance of the proposed method is better than that of the existing commonly-used intrusion detection methods, which has potentially wide application prospects.