计算机应用 ›› 2015, Vol. 35 ›› Issue (10): 2886-2890.DOI: 10.11772/j.issn.1001-9081.2015.10.2886

• 信息安全 • 上一篇    下一篇

基于KKT和超球结构的增量SVM算法的云架构入侵检测系统

张文兴1, 樊捷杰2   

  1. 1. 内蒙古科技大学 机械工程学院, 内蒙古 包头 014010;
    2. 内蒙古科技大学 信息工程学院, 内蒙古 包头 014010
  • 收稿日期:2015-04-20 修回日期:2015-07-27 出版日期:2015-10-10 发布日期:2015-10-14
  • 通讯作者: 樊捷杰(1985-),男,江西上饶人,硕士研究生,主要研究方向:信息安全、大数据处理、入侵检测,fanjiejie777@hotmail.com
  • 作者简介:张文兴(1983-),男,江西上饶人,讲师,硕士,主要研究方向:数据挖掘、工业过程建模。
  • 基金资助:
    国家自然科学基金资助项目(21366017)。

Cloud architecture intrusion detection system based on KKT condition and hyper-sphere incremental SVM algorithm

ZHANG Wenxing1, FAN Jiejie2   

  1. 1. School of Mechanical Engineering, Inner Mongolia University of Science and Technology, Baotou Nei Mongol 014010, China;
    2. School of Information Engineering, Inner Mongolia University of Science and Technology, Baotou Nei Mongol 014010, China
  • Received:2015-04-20 Revised:2015-07-27 Online:2015-10-10 Published:2015-10-14

摘要: 针对传统入侵检测系统(IDS)处理数据负载过重,不支持多主机数据联合分析,以及大规则库维护的问题,提出一种云架构的基于卡罗需-库恩-塔克(KKT)条件和超球结构的增量支持向量机(KS-ISVM)入侵检测系统。将客户端抓取的数据包经过预处理生成样本空间,然后发送至云端使用KS-ISVM进行建模分析,利用KKT条件对增量样本进行筛选,选取违反KKT条件的样本作为有用样本,剔除KKT范围内的所有样本;此外,为了保证剔除的样本为冗余样本,进一步采用超球结构的方法对样本进行第二次筛选,将超球范围内的样本作为有用样本,剔除其余样本;最后将选取的样本进行合并,对SVM进行更新训练。利用KDDCUP99数据进行实验验证,并与SVM、批量支持向量机(Batch-SVM)、互检KKT条件的增量学习(K-ISVM)算法进行对比,结果表明,KS-ISVM具有良好的预测能力和样本淘汰能力,准确率达到90.3%,而SVM、Batch-SVM和K-ISVM三种方法准确率均在89%以下;同时还对并行KS-ISVM进程联合分析,发现单进程的分析时间由6351 s降低到16进程的146 s,分析时间大大降低,说明了多进程的有效性,满足云计算环境中的入侵检测系统对效率和精度的要求。

关键词: 入侵检测系统, 云架构, 增量支持向量机, 卡罗需-库恩-塔克条件, 超球结构

Abstract: In view of overload, nonsupport of multi-computer conjunction analysis and maintenance of huge rule database in traditional Intrusion Detection System (IDS), a new kind of cloud architecture IDS with Incremental Support Vector Machine (ISVM) algorithm based on KKT condition and hyper-sphere, namely KS-ISVM was proposed. The network data captured by client were preprocessed and sent to the cloud as samples. The KS-ISVM was used to analyze these samples in cloud. According to the KKT condition, the samples that violated the KKT condition were selected as useful samples, and the others that met the KKT condition were removed. In addition, in order to ensure that the removed samples were redundant, they were screened again by hyper-sphere, after that, the samples which met the hyper-sphere rule were regarded as useful samples, while the others were deleted. Finally, the SVM was trained and updated by merging those selected useful samples. Contrast experiments with SVM, Batch-SVM and Incremental SVM based on KKT (K-ISVM) were carried out on KDDCUP 99. The results show that KS-ISVM has good performance in prediction and selection of samples, its accuracy can reach 90.3%, but the accuracy of SVM, Batch-SVM and K-ISVM are all below 89%. Through analyzing the parallel KS-ISVM processes, the analyzing time of the single process is 6351 s, while that of 16 processes is 146 s, which proves that the multi-process techniques is effiective, and it can meet the efficiency and accuracy requirements of IDS in cloud computing environment.

Key words: Intrusion Detection System (IDS), cloud architecture, Incremental Support Vector Machine (ISVM), Karush-Kuhn-Tucker (KKT) condition, hyper-sphere

中图分类号: