Intrusion detection method and intrusion detection system based on sustainable ensemble learning

Abstract

The invention, which belongs to the technical field of network intrusion detection, discloses an intrusion detection method and intrusion detection system based on sustainable ensemble learning. A multi-class regression model is constructed by using a class probability output and a classification confidence product of an individual learner as training data, so that the decision-making process of the ensemble learning has high adaptability to the attack type to improve the detection accuracy. At the model updating stage, parameters and decision results of historical models are added into the training process of a new model, thereby completing incremental learning of the model. According to the invention, on the basis of the ensemble learning fusion plan of the multi-regression model, the decision-making weights of the individual learner during the detection processes for different attack types are allocated in a fine granularity manner; and the parameters and results of the historical models are used for training the new model, so that the stability of the model is improved and the sustainability of the learning process is ensured. Besides, the experiment result is compared with theexisting MV and WMV plans, the accuracy, stability and sustainability of the intrusion detection method and intrusion detection system are verified.

Description

technical field [0001] The invention belongs to the technical field of network intrusion detection, and in particular relates to an intrusion detection method and an intrusion detection system based on sustainable integrated learning. Background technique [0002] With the rapid development of network-based computing services and applications, the Internet is subject to more and more security threats, and an intrusion detection system (Intrusion Detection System, IDS) is particularly important as an important part of the deep defense system of network security. An intrusion detection system discovers and identifies intrusions in a system by detecting and analyzing network traffic or host behavior. In order to detect abnormal behavior under large-scale data traffic, the intrusion detection system based on machine learning has become the focus. Machine learning technology is used to extract features from a large amount of data, and a classification model is established for the...

AI Technical Summary

Problems solved by technology

In order to detect abnormal behavior under large-scale data traffic, the intrusion detection system based on machine learning has become the focus. Machine learning technology is used to extract features from a large amount of data, and a classification model is established for the marked data set to realize network traffic or host Behavior classification, detecting intrusion behavior in the system, not only can detect known attacks, but also detect new or unknown attacks, but there are problems of low detection accuracy or denial of service due to high false positive rate and false negative rate

In order to reduce the false alarm rate and false negative rate in the machine learning-based anomaly detection system, the detection model is often established by the fusion of multiple machine learning models, and the final result is obtained by voting or weighted voting on the results of multiple machine learning models. Decision-making results, thereby improving the overall detection accuracy of the system; there are still the following problems: 1) The sensitivity of the individual learner to the attack type is not considered, resulting in poor adaptability of the detection model, and there are various types of attacks in a complex network environment. As time changes, the detection algorithm is sensitive to the type of attack, that is, different algorithms have different detection accuracy for different attack types; the final result is obtained by voting or weighted voting on the decision results of one or several algorithms integrated with machine learning , because the sensitivity of the detection model to the attack type is not considered, the weight obtained by the detection model is fixed, the adaptability is weak, and the accuracy of the detection model is likely to be low

2) Lack of stability and sustainability in the model update process. In a dynamically changing network environment, it is necessary to continuously update the detection model to ensure the accuracy of the model. It is not suitable for the environment of integrated learning, and does not consider the knowledge in the process of detection model update. It only proposes to completely retrain the new detection model based on new data over time, without considering the accumulation and transfer of knowledge between the historical model and the new model, and the updated model lacks stability and continuity.

In the prior art, there is a combination probability framework for classifiers, and four combination schemes of integrated learning are studied: majority voting, weighted majority voting, recall combination and naive Bayesian combination, based on class conditional independence and individual accuracy assumptions. The advantages and disadvantages of the model combination scheme are pointed out, and the stability and plasticity of the combination method are balanced by inducing label noise, indicating that there is no clear optimal combination scheme

Most of the existing ensemble-based learning schemes use voting method or weighted voting method to fuse the detection results of multiple individual learners and generate the final decision result. Such schemes do not consider the differences of individual learners and the impact on attack types. Sensitivity, the weight obtained by the classifier is fixed, resulting in a lack of adaptability when the model is fused, thereby reducing the detection accuracy

[0003] To sum up, the problems existing in the existing technology are: the existing ensemble-based learning methods do not consider the differences of individual learners and the sensitivity to attack types, and the weights obtained by classifiers are fixed, resulting in a lack of adaptability in model fusion. Reduce detection accuracy

None of the existing integrated learning-based schemes considers the association of knowledge during the update process of the detection model. It only proposes to completely retrain the new detection model based on new data over time, without considering the accumulation and transfer of knowledge between the historical model and the new model. Lack of stability and continuity

Images