【作者】 刘积芬；

【导师】 陈镜超；

【作者基本信息】 东华大学 ， 模式识别与智能系统， 2013， 博士

【摘要】 高速发展的网络在带给人们便利的同时,其自身的脆弱性也为黑客和恶意攻击者提供了入侵的机会,入侵攻击手段的日益复杂化和多样化对入侵检测的性能提出了更高的要求,在线、自适应、多分类和检测器集成的入侵检测技术成为研究的热点。本文以提高多分类入侵检测系统的性能为目标,针对易分类、易混类、非均衡样本类和未知新类别入侵攻击的特点,研究多分类入侵检测方法,提出了一个在线自适应的多分类入侵检测集成模型。主要包括以下内容：1)为实现高性能的多分类入侵检测,将主方向分裂划分层次聚类方法应用于入侵检测中。运用矩阵奇异值分解理论寻找分裂的主方向,并依据这个主方向对样本记录进行划分,得到两个子类簇,再不断用同样的方法对需要进一步划分的子类簇进行分裂划分,直到所有的子类簇均不需要进一步划分为止,从而形成基于主方向分裂划分层次聚类的入侵检测模型。由于在寻找主方向时只需要计算出最大的奇异值和奇异向量,而不需要完成整个奇异值分解,因此,这种方法在建模和检测时,具有较好的时间性能；该方法不受初始值的影响,对数据输入顺序不敏感；在聚类时不需要相似性度量,避免了相似性度量对检测器性能的影响。2)针对易混类入侵攻击检测率低的问题,提出了基于投影寻踪方向分裂划分层次聚类的入侵检测模型。通过优化算法自动寻找训练集的最优投影方向,寻到的投影方向可以使易混类连接记录与其它类连接记录尽量地分开,建立的基本检测模型提高了易混类入侵攻击的检测率,基于基本检测模型,还构建了一种并行检测模型,进一步提高了检测率。3)针对高维训练样本集中不同类别间记录数量不平衡带来的小类识别率较低的问题,提出了一种基于加权非负矩阵分解的特征提取方法,结合次胜者受罚竞争学习神经网络构建了入侵检测模型。由于加权非负矩阵分解的特征提取加强了小样本类的特征,使不同类别间的界限更加清晰,因此,小样本类的入侵检测率得到有效的提高。4)针对识别新的未知类别攻击的需求,将自适应共振理论应用于入侵检测中,构建了一种基于ART2神经网络的在线自适应入侵检测模型。该模型是一个两级合成结构,能在动态变化的环境中实时地进行边检测边学习,对同一个输入模式不需要重复学习,具备快速学习能力。不仅可以通过一级检测器识别正常类别连接和已知类别入侵攻击,而且还能通过二级检测器学习新的入侵模式、检测出新的未知类别入侵攻击。5)为了进一步提高入侵检测系统的整体检测率和效率,研究了分类器集成的各种结构,综合多种单检测器的优点,构建一个三级混合结构的入侵检测集成模型。基于主方向分裂划分层次聚类的一级检测器进行易分类入侵检测,基于加权非负矩阵分解特征提取和投影寻踪分裂划分层次聚类的二级检测器进行易混类和非均衡类入侵检测,基于ART2神经网络的三级检测器对新的未知类别入侵攻击进行检测。这种集成模型充分发挥各个单检测器的优势,对易分类入侵攻击具有快速检测能力,提高了易混类和小样本类入侵攻击的检测率,可以检测出新的未知类别入侵攻击并自适应地学习其轮廓,具有更好的整体性能。更多还原

【Abstract】 While the network brings convenience to people, its own fragility offers intrusion opportunities for hackers and malicious attackers. Along with the diversity and complexity of intrusion attack, high performance intrusion detection techniques are required, and so the study of on-line detection, adaptive detection and multiclass detection techniques becomes current hotspot. To improve the performance of multiclass intrusion detection system, this dissertation focuses on the study of multiclass intrusion detection methods against the characteristics of the easy classification, easy mixed, imbalanced and new unknown types of attacks, and proposes an adaptive multiclass intrusion detection ensemble model.The main innovative solutions are as follows:1) To achieve high performance multiclass intrusion detection, the hierarchical clustering based on principal direction divisive partitioning is applied in intrusion detection. The principal direction is found by using the theory of matrix singular value decomposition, by which to split the training set into two subsets and then split subsets similarly, until every subset needs not split, As a result, we obtain the intrusion detection model based on the principal direction divisive partitioning clustering. During modeling and detecting, the method is fast because only the biggest singular value and the corresponding singular vectors are needed to compute while finding the principal direction. Our method is neither affected by the initial values nor sensitive to the input order. Note that the similarity measure is not needed when clustering, which avoids its influence to the performance of the detector.2) For the low detection accuracy for easy mixed attacks, an intrusion detection model based on the projection pursuit direction divisive partitioning clustering is proposed. The optimal projection direction for the training set is automatically found by the optimization algorithm. The found projection direction can make the easy mixed connections apart from the others as clearly as possible. The basic detection model in the paper improves the detection accuracy for the easy mixed attacks. Also a parallel detection model based on the basic detection model is established to improve the detection accuracy further. 3) To solve the problem of the lower rate for small class detection caused by the imbalance among the numbers of different classes of the high dimensional network connection records, a feature extraction algorithm based on weighted non-negative matrix decomposition is proposed and an intrusion detection model is established by combining the rival penalized competitive learning neural network. Feature extraction based on weighted non-negative matrix decomposition strengthens the features of the small classes and then makes the boundaries of the classifications clearer, so it improves the detection accuracy of the small class significantly.4) To recognize new unknown type of attacks adaptively, adaptive resonance theory is applied in intrusion detection to establish an online adaptive intrusion detection model based on ART2neural network. The model is structured in two levels and can detect and learn in a dynamic environment on a real-time basis. The model can learn quickly but not need to learn the same input pattern repeatedly. The model recognizes normal connections and known type of attacks by using the first level detector, and also learns new intrusion patterns and detects new unknown types of attacks by using the second level detector.5) To improve the overall detection accuracy and efficiency of intrusion detection system further, various ensemble structures of classifiers are studied. Combining the advantages of different detectors detecting different attack types, an intrusion detection ensemble model with the three levels of hybrid structures is proposed. The first level detector based on the principal direction divisive partitioning clustering detects the easy classification attacks. The second level detector based on the feature extraction of the weighted non-negative matrix decomposition and the projection pursuit direction divisive partitioning clustering detects the easy mixed and the imbalanced types of attacks. The third level detector based on the ART2neural network recognizes the new unknown types of attacks. This ensemble model develops every single detector’s advantages, is able to detect the easy classification attacks quickly, and improves the detection accuracy of the easy mixed and small class of attacks.It can detect new unknown types of attacks and learn their profiles adaptively. So the model in paper has a better overall performance.更多还原