【作者】 吴静；

【导师】 刘衍珩；

【作者基本信息】 吉林大学 ， 计算机系统结构， 2010， 博士

【摘要】 本文基于神经网络理论讨论大规模网络入侵检测学习的方法,主要研究网络流量监控、网络数据学习以及分布式数据融合问题。采用ARIMA平稳时序建模方法实现了一种动态预测方法,预测未来时段内的流量特征,根据该流量特征对网络流量进行动态监控,并对异常流量发出流量超预期警告。方案在一定程度上避免了单阈值设定流量警告的困难,减少了系统的虚警率。针对经典SVM不适用于大规模入侵检测数据学习的问题,基于网络入侵训练样本的特征分析,提出了适用于多分类的SVM增量学习算法。该算法利用SVM训练样本的凸二次特性,将多维样本映射到高维空间并使其可分,然后利用样本的聚类特性,选取一定“厚度”的外壳数据作为SV保留下来,提高了检测率。针对模块化神经网络算法学习精度高但是效率相对较低的特点,采用SOM算法作为基本学习方法并利用其神经元竞争特性,引入模糊聚类FCM对SOM输出权值进行融合学习分类,不需要对任务进行特殊分解,采用自组织映射学习方法,对各模块所分配的任务进行学习,融合学习则采用类似的无监督学习方法,对相似解进行聚类。在保持SOM高精度的基础上,大幅度的减少了学习时间。针对神经网络学习的过拟合现象,提出了一种以Kalman滤波器为基础的修剪算法。该算法将神经元与神经网络的输出建立对应关系,利用Kalman滤波器的预测特性,对神经网络中的每一个神经元及其权值进行预测,找出其重要性的排序,并依据其重要性对网络节点进行修剪。这些算法均采用入侵检测数据集KDDCUP99进行测试,验证了算法的高检测率和较好的效率,表明算法适合大规模网络的入侵检测应用。最后提出了一种以网络内因、外因等指标为输入的评价方法,利用所提出入侵检测算法的输出作为网络性能评价参数,并综合其它变量因素给出了网络性能评价公式。更多还原

【Abstract】 In confront of large-scale network intrusion detection and increasing intrusion means, single-machine intrusion detection system cannot meet the detection requirement regarding the computing speed and rule storage. Modular neural networks, which decomposed tasks to learn, proposed an efficient solution to this problem. The different segmentation methods, however, limited its application, as it caused varying study effects. Diversity of attack and normal data flow determined that the intrusion detection must apply random or under simple rules segmentation to conduct distributed learning. But the learn result cannot be affected. This research analyzed the network data characterizations and related intelligent learning algorithms, and proposed a new learning method that could greatly reduce sample segmentation relevance, based on the research of network traffic monitoring, network data learning, data integration etc, which could complete task decomposition and integration learning.In order to support the integrating learning, we also researched the neural network structure optimization problem, enhanced the generalization ability by pruning the useless neurons and further improved the learning effect.Based on network security related monitoring and detecting content, we proposed a network performance scoring model that could supervise the learning algorithm effect from quantitative point of view reflecting the anti-intrusion and survivor ability of the network.Detailed content were as followed:(1)Establish a dynamic network traffic flow monitor system based on ARIMA modelNetwork traffic flow was abrupt and periodic. Many modeling methods always establish the model as stable flow. We firstly smoothed the traffic flow and extracted the noise information. Then model was established based on ARIMA, in the meantime, a dynamic monitoring system based on the model was established, which could predict the traffic property in the coming hours. Traffic flow was monitored according to traffic characterization where unusual traffic flow could be alerted. This method to some extent, avoided the high false alteration rate that was due to the single threshold setting.(2) Propose an incremental learning method to multi-classification SVMThe advances in high dimension learning of SVM could solve the incremental learning problem in the data of large-scale network intrusion detection. SVM learning samples were convex quadratic after transforming by kernel function. The commonly used in model recognition was the closer samples from heterogeneous sample, thus ensuring the full partition between the samples and spared the most optimal hyperplane that maximum the distance between the two sample types. Our method utilized the separable property of the samples after kernel transformation, and deserved the edge data cluster as SV, in a certain extent, equivalent of retaining a shell of its cluster with certain thickness. These shells retained much enough SV data for hyperplane calculation within each model, and could significantly reduce the increasing data storage that happen using traditional KKT rule for incremental learning. In the meantime, the shell data choosing applied the Euclidean distance method, which had lower calculation and was easier to achieve. Result showed this method retained enough effective SV, improved the SVM incremental learning speed and accuracy, reduced data storage spaces, and was more suitable for multiple classification SVM incremental learning.(3) propose integrated learning method based on FCM clusteringLarge-scale network intrusion detection was basically to establish a comprehensive detection system that integrated learning result of each module. Although SVM could achieve great learning effect, it also depended upon the sample splitting method . SOM neural network learning benefited from the competition, namely, each winning neuron represented a sample model. The self-organizing clustering property, could further weaken the sample dependence of module learning. As Hebb learning method was introduced, the output differences between winning neurons widened. Therefore, utilize the winning neurons’properties in further vague clustering by FCM during integration method, each module of which was integrated and hereafter achieved modulated neuron network learning algorithm that uses SOM as basic learning method, FCM as the integrating method. From sample primary learning to further integration learning, sample dependence was avoided. In the meantime, while maintaining high accuracy based on SOM, the introduction of FCM could greatly reduce the number of iterations of learning, improving learning efficiency. Result showed this method in distributed intrusion detection system had a better detection rate and low false alarm rate.(4) propose Kalman fiter-based neural network pruning algorithmTo solve the over-fitting and consequent neural network learning effect decline that commonly happened, we proposed Kalman fiter-based pruning algorithm. The main idea came from classic neural network pruning algorithm OBD, which pruning and removing part of the neurons. Kalman fiter utilized state equation and measurement equation to predict the output changes of neurons and neural network, find out the order of importance, identify the unrelated or negatively related neurons, and prune this part of network node. Unlike the traditional pruning method that introduced punishment during learning procedure, this method focused solely on learning completed neural network, and won’t disturb the learning procedure nor will delay the learning time period. Result showed, this prediction method could implement the pruning of neurons, and could improve the learning accuracy of neural network.(5) propose a comprehensive method on networkThe current anti-intrusion evaluations of network were mostly conducted with respect to network threat and loopholes in the network, with varying parameters and algorithms. In order to establish experimental conditions, the network traffic monitor mentioned above and related intrusion detection algorithm were integrated, and based on multi-factors that contributed to the commonly happened problems, we propose a quantification parameter with intrusion detection result as on of the network performance parameter. The possible influence to network of different intrusion means were set as input parameter. And we gave a performance evaluation equation, which could quantified the network performance and hereafter evaluate the network performance and test intrusion detection result.更多还原