基于支持向量机的入侵检测系统

Vol.14,No.4©2003JournalofSoftware1000-9825/2003/14(04)0798*+,,(,710071)AnIntrusionDetectionSystemBasedonSupportVectorMachineRAOXian+,DONGChun-Xi,YANGShao-Quan(InstituteofElectronicCounterMeasures,DepartmentofElectronicsEngineering,XidianUniversity,Xi’an710071,China)+Correspondingauthor:Phn:86-29-8202274,E-mail:xianrao@yahoo.com.cn(4):798~803.Abstract:ThegeneralizingabilityofcurrentIDS(intrusiondetectionsystem)ispoorwhengivenlessprioriknowledge.UtilizingSVM(supportvectormachines)inIntrusionDetection,thegeneralizingabilityofIDSisstillgoodwhenthesamplesizeissmall(lessprioriknowledge).First,theresearchprogressofintrusiondetectionisrecalledandalgorithmofsupportvectormachinetaxonomyisintroduced.ThenthemodelofanIntrusionDetectionSystembasedonsupportvectormachineispresented.Anexampleusingsystemcalltracedata,whichisusuallyusedinintrusiondetection,isgiventoillustratetheperformanceofthismodel.Finally,comparisonofdetectionabilitybetweentheabovedetectionmethodandothersisgiven.ItisfoundthattheIDSbasedonSVMneedslessprioriknowledgethanothermethodsandcanshortenthetrainingtimeunderthesamedetectionperformancecondition.Keywords:intrusiondetection;networksecurity;supportvectormachine;statisticallearning;patternrecognition:.,().,,(systemcalltrace),,.,,,.:;;;;:TP181:A*SupportedbytheMilitaryCommunicationPre-ResearchProjectofthe‘TenthFive-Year-Plan’ofChinaunderGrantNo.4100104030(“”):(1976),,,,,,.:799,.,.(intrusiondetection),,.,:,.,Forrest[1]“”(“”)“”(“”),.Ghosh[2].W.Lee[3].,.,,,?(supportvectormachines).Vapnik[4],,.,,..,,,(intrusiondetectionsystem).,.,,,,.1,,.,.1.1xk,l}1{),(),...,,(11±×∈kllRyxyx.:0=+⋅bxw(1),⋅..,(1)wb.,ix,bxwi+⋅1,()wwbxwi1=+⋅.:()[].,...,1,1libxwyii=≥+⋅(2)wbw2.,,:,,...,1,0lii=≥x(3)(2)(3),2112∑=⋅+liiCwx(4)C.1,;2.lagrange,(4),()[],,...,1,,0,0s.t.),(21max11liCyxxyyaWiliiijijjiili=∈=⋅-=∑∑∑==aaaaa(5)800JournalofSoftware2003,14(4)   .1∑==liiiixywa(6),.,ia0,,.Kuhn-Tucker,,0,b:.1)(=+⋅bxwyii(7),x)sgn()(bxwxf+⋅=(8).(6),:.)(sgn)(1⎟⎟⎠⎞⎜⎜⎝⎛+⋅=∑=bxxyxfliiiia(9)1.2,)(jixx⋅.,HRk→:Y.K,())()(),(jijixxxxKYY⋅=(10),Y.,(5)[].,...,1,,0,0s.t.),(21)(max11liCyxxKyyaWiliiijijjiili=∈=⋅-=∑∑∑==aaaaa(11)().),(sgn)(∑+=bxxKyxfiiia(12)23,1..,,,.,.,,,,..DecisionmakingsystemAudittrailpretreatmentSVMsclassifierSystemaudittrailTheintrusiondetectionsystembasedonSVMFig.1TheintrusiondetectionsystembasedonSVM1:801:.,(11),(6)(7).,,,(12),.3,.Forrest:,((trace)).,,.,.,,,..,.,MIT(MassachusettsInstituteofTechnology)(AILab.)lpr,.3.1,1,2(mappingfile),‘5’‘open’..,.k.,k?.1,,,,.W.Lee[5],6~7.6.3.2,,.k,.,.k,.,.l,}1{),(),...,,(11±×∈kllRyxyx,iy+1;iy-1,6=k.1.Table1Exampleofthetrainingsamplesofnormalandabnormalshortsequences1Shortsequences(withlength6)(xi∈R6)Classifylabel(yi)5367675139“normal”(+1)36767513967“normal”(+1)…...19469106“abnormal”(-1)4691066“abnormal”(-1)……3.3,802JournalofSoftware2003,14(4)   ,,,...,,,;,..1,,,.,;.,.3.4,:.,(11).,.,k=6,.,(12)Y.1,.2.Table2Distributionofthedatausedintrainingandthetestinthesimulation2TrainingdatasetTestingdatasetProcessNumberofnormaltracesNumberofabnormaltracesNumberofnormaltracesNumberofabnormaltracesMITlpr2010270410013ChristinaWarrender[6].ChristinaWarrender4.Stide(sequencetime-delayembedding)k.,,.t-stide(stidewithfrequencythreshold)stide,.RIPPER(repeatedincrementalpruningtoproduceerrorreduction)WilliamCohen..HMM(hiddenMarkovmodel)(HMM).,,,.100%.3,HMM,.,SVMHMM.Table3Comparisonoftheperformancesofseveralintrusiondetectionmethods3Stidet-StideRIPPERHMMSVMTimeusedintraining10min10min1min5days7minThelowestfalsealarm0.00.00750.00160.00030.0003,:,,;,,,.4,.,,(),.,,.:803,,.References:[1]ForrestS,PerrelasonAS,AllenL,CherukurR.Self_Nonselfdiscriminationinacomputer.In:RushbyJ,MeadowsC,eds.Proceedingsofthe1994IEEESymposiumonResearchinSecurityandPrivacy.Oakland,CA:IEEEComputerSocietyPress,1994.202~212.[2]GhoshAK,MichaelC,SchatzM.Areal-timeintrusiondetectionsystembasedonlearningprogrambehavior.In:DebarH,WuSF,eds.RecentAdvancesinIntrusionDetection(RAID2000).Toulouse:Spinger-Verlag,2000.93~109.[3]LeeW,StolfoSJ.Adataminingframeworkforbuildingintrusiondetectionmodel.In:GongL,ReiterMK,eds.Proceedingsofthe1999IEEESymposiumonSecurityandPrivacy.Oakland,CA:IEEEComputerSocietyPress,1999.120~132.[4]VapnikVN.TheNatureofStatisticalLearningTheory.NewYork:Spring-Verlag,1995.[5]LeeW,DongX.Information-Theoreticmeasuresforanomalydetection.In:NeedhamR,AbadiM,eds.Proceedingsofthe2001IEEESymposiumonSecurityandPrivacy.Oakland,CA:IEEEComputerSocietyPress,2001.130~143.[6]WarrenderC,ForresrS,PearlmutterB.Detectingintrusionsusingsystemcalls:Alternativedatamodels.In:GongL,ReiterMK,eds.Proceedingsofthe1999IEEESymposiumonSecurityandPrivacy.Oakland,CA:IEEEComputerSocietyPress,1999.133~145.ÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎÎ20(NDBC2003)()()2020031010~12()A.WebL.-B.M.C.N.D.O.E.OLAPP.XMLF.Q.G.R./H.S./I.T.J.U.K.V./200351020037202003810