Building lightweight intrusion detection system using wrapper-based feature selection mechanisms

Intrusion Detection System (IDS) is an important and necessary component in ensuring network security and protecting network resources and network infrastructures. How to build a lightweight IDS is a hot topic in network security. Moreover, feature selection is a classic research topic in data mining and it has attracted much interest from researchers in many fields such as network security, pattern recognition and data mining. In this paper, we effectively introduced feature selection methods to intrusion detection domain. We propose a wrapper-based feature selection algorithm aiming at building lightweight intrusion detection system by using modified random mutation hill climbing (RMHC) as search strategy to specify a candidate subset for evaluation, as well as using modified linear Support Vector Machines (SVMs) iterative procedure as wrapper approach to obtain the optimum feature subset. We verify the effectiveness and the feasibility of our feature selection algorithm by several experiments on KDD Cup 1999 intrusion detection dataset. The experimental results strongly show that our approach is not only able to speed up the process of selecting important features but also to yield high detection rates. Furthermore, our experimental results indicate that intrusion detection system with feature selection algorithm has better performance than that without feature selection algorithm both in detection performance and computational cost.     

特征和分类器联合优化的网络入侵检测算法

为了提高网络入侵检测正确率,利用特征选择和检测分类器参数间的相互联系,提出一种特征和分类器联合优化的网络入侵检测算法。联合优化方法将网络状态特征和分类器参数作为遗传算法的个体,网络入侵检测正确率作为个体适应度函数,通过选择、交叉和变异等遗传操作获得最优特征和分类器参数,利用KDD 1999数据集对联合优化算法进行验证性测试。实验结果表明,相对于其他入侵检测算法,联合优化算法既解决了特征与分类器不匹配带来的入检测检测能力下降,又提高了网络入侵检测正确率和效率,为网络入侵检测提供了一种新的研究思路。     

基于遗传优化神经网络的网络入侵特征检测

为了提高网络入侵检测正确率,提出一种遗传优化神经网络的网络入侵特征选择和检测算法。该方法先将网络状态特征和RBF神经网络参数作为遗传算法的个体,把检测正确率作为适应度函数;然后利用遗传算法的选择、交叉和变异等操作对网络状态特征和RBF神经网络参数进行优化,最后利用KDD 1999数据集对算法性能进行测试。测试结果表明：遗传优化神经网络能够快速获得最优网络状态特征和分类器参数,同时提高了网络入侵检测正确率。     

基于加权特征筛选的入侵检测系统

网络攻击隐蔽性高,手段多样。传统检测系统特征提取不全,数据包易丢失,漏报、错报率高。为提高检测率,提出一种基于加权特征筛选的入侵检测算法。首先对网络数据包进行特征提取;然后采用支持向量机交叉验证对全部特征进行筛选,并计算各特征的权值;最后以加权保留特征构建入侵检测模型。仿真实例结果表明,该检测算法提高了入侵检测率,是一种有效的网络入侵检测方法。     

粒子群算法和K近邻相融合的网络入侵检测

为了提高网络入侵检测效果,提出一种粒子群优化算法（PSO）和K最近邻相融（KNN）的网络入侵检测模型（PSO-KNN）。首先特征子集和KNN参数作为一个粒子,然后通过粒子之间的信息交流和相互协作,找到最优特征子集和KNN参数,从而建立最优网络入侵检测模型,最后利用KDD 1999数据集对模型性能进行测试。结果表明,相对于其他入侵检测算法,PSO-KNN更有效地精简网络数据特征,提高分类算法的网络入侵检测速度及检测率。     

一种高效的面向轻量级入侵检测系统的特征选择算法

特征选择是网络安全、模式识别、数据挖掘等领域的重要问题之一.针对高维数据对象,特征选择一方面可以提高分类精度和效率,另一方面可以找出富含信息的特征子集.文中提出一种wrapper型的特征选择算法来构建轻量级入侵检测系统.该算法采用遗传算法和禁忌搜索相混合的搜索策略对特征子集空间进行随机搜索,然后利用提供的数据在无约束优化线性支持向量机上的平均分类正确率作为特征子集的评价标准来获取最优特征子集.文中按照DOS,PROBE,R2L,U2R 4个类别对KDD1999数据集进行分类,并且在每一类上进行了大量的实验.实验结果表明,对每一类攻击文中提出的特征选择算法不仅可以加快特征选择的速度,而且基于该算法构建的入侵检测系统在建模时间、检测时间、检测已知攻击、检测未知攻击上,与没有运用特征选择的入侵检测系统相比具有更好的性能.     

用于入侵检测的动态克隆选择算法的研究

针对目前动态克隆选择算法在入侵检测应用中存在较高的误检率的缺陷,提出了一种改进动态克隆选择算法。文章对改进算法进行了描述,建立了一种基于该改进动态克隆选择算法的入侵检测系统（IDS）模型,并进行了仿真实验。仿真实验表明,改进后的算法在降低误报率的情况下,提高了正确检测率。     

基于连接数据分析和OSELM分类器的网络入侵检测系统

针对网络入侵的实时高效检测问题,提出一种基于网络连接数据分析和在线贯序极限学习机(OSELM)分类器的网络入侵检测系统(IDS)。首先,对入侵数据库中的网络连接数据进行分析,通过特征选择算法选择出最优特征子集。然后,迭代执行交叉验证,并通过Alpha剖析来缩减样本尺寸,以此减低后续分类器的计算复杂度。最后,利用优化后的样本特征集来训练OSELM分类器,以此构建一个网络实时入侵检测系统。在NSL-KDD数据库上的实验结果表明,提出的IDS具有较高的检测率和较低的误报率,同时检测时间较短,符合实时入侵检测的要求。     

基于GQPSO算法的网络入侵特征选择方法

高维网络数据中的无关属性和冗余属性容易使分类算法的网络入侵检测速度变慢、检测率降低。为此,提出一种基于遗传量子粒子群优化(GQPSO)算法的网络入侵特征选择方法,该方法将遗传算法中的选择变异策略与QPSO有机结合形成GQPSO算法,并以网络数据属性之间的归一化互信息量作为该算法适应度函数,指导其对网络数据的属性约简,实现网络入侵特征子集的优化选择。在KDDCUP1999数据集上进行仿真实验,结果表明,与QPSO算法、PSO算法相比,该方法能更有效地精简网络数据特征,提高分类算法的网络入侵检测速度及检测率。     

Multivariate correlation coefficient and mutual information-based feature selection in intrusion detection

Feature selection is one of the major problems in an intrusion detection system (IDS) since there are additional and irrelevant features. This problem causes incorrect classification and low detection rate in those systems. In this article, four feature selection algorithms, named multivariate linear correlation coefficient (MLCFS), feature grouping based on multivariate mutual information (FGMMI), feature grouping based on linear correlation coefficient (FGLCC), and feature grouping based on pairwise MI, are proposed to solve this problem. These algorithms are implementable in any IDS. Both linear and nonlinear measures are used in the sense that the correlation coefficient and the multivariate correlation coefficient are linear, whereas the MI and the multivariate MI are nonlinear. Least Square Support Vector Machine (LS-SVM) as an intrusion classifier is used to evaluate the selected features. Experimental results on the KDDcup99 and Network Security Laboratory-Knowledge Discovery and Data Mining (NSL) datasets showed that the proposed feature selection methods have a higher detection and accuracy and lower false-positive rate compared with the pairwise linear correlation coefficient and the pairwise MI employed in several previous algorithms.     

Decision tree based light weight intrusion detection using a wrapper approach

The objective of this paper is to construct a lightweight Intrusion Detection System (IDS) aimed at detecting anomalies in networks. The crucial part of building lightweight IDS depends on preprocessing of network data, identifying important features and in the design of efficient learning algorithm that classify normal and anomalous patterns. Therefore in this work, the design of IDS is investigated from these three perspectives. The goals of this paper are (i) removing redundant instances that causes the learning algorithm to be unbiased (ii) identifying suitable subset of features by employing a wrapper based feature selection algorithm (iii) realizing proposed IDS with neurotree to achieve better detection accuracy. The lightweight IDS has been developed by using a wrapper based feature selection algorithm that maximizes the specificity and sensitivity of the IDS as well as by employing a neural ensemble decision tree iterative procedure to evolve optimal features. An extensive experimental evaluation of the proposed approach with a family of six decision tree classifiers namely Decision Stump, C4.5, Naive Baye’s Tree, Random Forest, Random Tree and Representative Tree model to perform the detection of anomalous network pattern has been introduced.     

入侵检测系统中模式匹配算法的研究与改进

入侵检测系统的性能很大程度上取决于规则检测的效率,模式匹配算法是规则检测引擎的核心算法。对模式匹配算法进行了研究,重点分析了多模式匹配算法Wu—Manber算法。针对Wu—Manber算法在单字节模式串下移动距离短的不足,并结合网络数据包和入侵检测系统中规则的特点,提出了一种适合入侵检测系统的改进的模式匹配算法。该算法利用位示图方法解决了单字节模式串匹配的问题,增加了移动距离,提高了检测数据包与规则匹配的速度,提升了系统运行的效率。     

An intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection

Intrusion detection system (IDS) is to monitor the attacks occurring in the computer or networks. Anomaly intrusion detection plays an important role in IDS to detect new attacks by detecting any deviation from the normal profile. In this paper, an intelligent algorithm with feature selection and decision rules applied to anomaly intrusion detection is proposed. The key idea is to take the advantage of support vector machine (SVM), decision tree (DT), and simulated annealing (SA). In the proposed algorithm, SVM and SA can find the best selected features to elevate the accuracy of anomaly intrusion detection. By analyzing the information from using KDD’99 dataset, DT and SA can obtain decision rules for new attacks and can improve accuracy of classification. In addition, the best parameter settings for the DT and SVM are automatically adjusted by SA. The proposed algorithm outperforms other existing approaches. Simulation results demonstrate that the proposed algorithm is successful in detecting anomaly intrusion detection.     

基于特征选取和样本选择的网络入侵检测

为了获得更加理想的网络入侵检测结果, 针对网络入侵特征选取和样本选择问题, 提出一种基于特征选取和样本选择的网络入侵检测模型. 首先提取网络入侵特征, 并进行归一化处理, 然后采用核主成分分析选择入侵特征, 并对样本进行选择, 最后采用极限学习机建立网络入侵检测分类器, 并采用KDD Cup99数据集进行仿真实验. 仿真结果表明, 本文模型得到了理想的网络入侵检测结果, 检测率超过95%以上, 入侵检测效率可以满足网络安全实际应用要求.     

适合于入侵检测的分步特征选择算法

针对入侵检测数据集维数高,导致检测算法处理速度慢,而其中包含许多对检测效果影响不大的特征的问题,提出了一种分步特征选择算法。它通过对相关特征和冗余特征的定义,以互信息为准则,首先删除不相关特征,然后删除冗余特征。该算法的时间复杂性低,且独立于检测算法,可以通过调整阈值平衡检测精度和特征的数量。以权威数据集KDD-99为实验数据集,对多种检测算法进行了实验。结果表明,该算法能有效地选择特征向量,保证检测精度,提高检测速度。     

IDS自适应特征选择算法——进化包装(Wrapper)算法分析

随着网络技术和网络规模的不断发展,网络安全已经成为人们无法回避的问题,因此为了保护现在越来越多的敏感信息,入侵检测技术也成为了一种非常重要的技术,得到了越来越多的重视。然而对其中一个重要部分―特征的自动选择的研究非常少。本文提出了一个EA用来执行特征的自动选择以及对RBF网络的自动优化。经过特征选择这个步骤可以显著的减少输入特征的数量,这样可以有效的减少过适应。此外,减少输入特征数目,还可以减少神经网络的执行时间。     

面向入侵检测的基于多目标遗传算法的特征选择

针对刻画网络行为的特征集中存在着不相关或冗余特征,从而导致入侵检测性能下降的问题,本文提出了一种基于多目标遗传算法的特征选择方法,将入侵检测中的特征选择问题视为多目标优化问题来处理。实验结果表明,该方法能够实现检测精度与检测算法复杂性的均衡优化,在显著提高检测算法效率的同时,检测精度也有所提高。     

基于特征选择的网络入侵检测模型

研究网络安全问题,网络入侵手段多样,特征多,存在大量不利的冗余特征,传统网络入侵检测不考虑特征冗余,检测效率和正确论低。为更一步提高了网络安全,提出一种特征选择的网络入侵检测模模型。采用粒子群算法对网络系统状态特征和支持向量机参数进行同步选择,找到最优网络入侵检测模型特征和模型参数,降低了模型的输入样本维数。仿真结果表明,改进算法可降低特征维数,消除了不利于提高检测结果的冗余特征,并提高了网络入侵检测正确率,适合于小样本、实时要求高的网络入侵检测。     

粒子群优化支持向量机的入侵检测算法

为了提高网络入侵的检测正确率,针对网络入侵检测中特征选择问题,将二值粒子群优化算法(BPSO)用于网络入侵特征选择,结合支持向量机(SVM)提出了一种基于BPSO-SVM的网络入侵检测算法。该算法将网络入侵检测转化为多分类问题,采用wrapper特征选择模型,以SVM为分类器,通过样本训练分类器,根据分类结果,利用BPSO算法在特征空间中进行全局搜索,选择最优特征集进行分类。实验结果表明,BPSO-SVM有效降低了特征维数,显著提高了网络入侵的检测正确率,还大大缩短了检测时间。