A Composite Intrusion Detection Method Based on Bagging Algorithm

Abstract

The invention relates to a hybrid intrusion detection method based on a bagging algorithm, which comprises the following steps of creating an initial history data sample set S; constructing the sample set S into a sample set S<sample> which can be read by a weak learning algorithm in the bagging algorithm and selecting a ball vector machine as the weak learning algorithm; cyclically calling the weak learning algorithm to complete the training of the data sample S<sample> to obtain a strong learning machine H; inputting current data samples to be detected into the strong learning machine H which is used as a hybrid intrusion detection model, the strong learning machine H using all generations of weak learning machines hi to conduct preliminary intrusion detection and judging the intrusion detection results of the current data samples to be detected through a voting method, and the intrusion detection result which gets the most votes being taken as the final intrusion detection result of the strong learning machine H. By adopting the method disclosed by the invention to conduct the intrusion detection to a target network, the defects of low detection accuracy, poor generalization ability and the like commonly existing in the original intrusion detection technique can be overcome, and the rate of false alarms and the rate of missed alarms can be greatly reduced.

Description

technical field [0001] The invention relates to a detection method in the technical field of network information security, in particular to a composite intrusion detection method based on a Bagging algorithm. Background technique [0002] As network intrusions and attacks are developing toward distribution, scale, complexity, and indirection, higher requirements are placed on security product technology, and an efficient network security alarm technology is urgently needed to improve the security of security products. performance. [0003] Intrusion detection is the detection of intrusion behavior. The intrusion detection system collects information of all key nodes in the network and computer system to check whether there are violations of security policies and signs of being attacked in the network or system. The data sources of intrusion detection are the logs of various network security devices, such as firewalls, IDS, IPS, etc. These devices will record the activities ...

AI Technical Summary

Problems solved by technology

[0006] Aiming at the intrusion detection technology based on a single classifier in the above-mentioned prior art, and the intrusion detection implementation scheme relying only on misuse technology or abnormal technology, the intrusion detection accuracy is low, the real-time type is poor, the false negative rate and false positive rate are high, Due to defects such as poor generalization ability, the applicant has provided a compound intrusion detection method based on the Bagging algorithm after long-term research. The biggest advantage of the Bagging algorithm is that it can obtain a high-precision classification model through repeated iterative training of the weak learning algorithm. And in order to reduce the rate of false positives and negative negatives, the method designs a composite intrusion detection model, that is, intrusion detection based on misuse first, and then intrusion detection based on abnormality; in order to improve the real-time performance of the intrusion detection system, the present invention Kernel principal component analysis and ball vector machine are used in the feature extraction stage and weak learning algorithm selection of Bagging algorithm, so as to improve the speed of the intrusion detection system without reducing the accuracy as much as possible

Images