基于KKT和超球结构的增量SVM算法的云架构入侵检测系统  被引量：7

作　　者：张文兴[1] 樊捷杰 

机构地区：[1]内蒙古科技大学机械工程学院,内蒙古包头014010 [2]内蒙古科技大学信息工程学院,内蒙古包头014010

出　　处：《计算机应用》2015年第10期2886-2890,共5页journal of Computer Applications

基　　金：国家自然科学基金资助项目(21366017)

摘　　要：针对传统入侵检测系统(IDS)处理数据负载过重,不支持多主机数据联合分析,以及大规则库维护的问题,提出一种云架构的基于卡罗需-库恩-塔克(KKT)条件和超球结构的增量支持向量机(KS-ISVM)入侵检测系统。将客户端抓取的数据包经过预处理生成样本空间,然后发送至云端使用KS-ISVM进行建模分析,利用KKT条件对增量样本进行筛选,选取违反KKT条件的样本作为有用样本,剔除KKT范围内的所有样本;此外,为了保证剔除的样本为冗余样本,进一步采用超球结构的方法对样本进行第二次筛选,将超球范围内的样本作为有用样本,剔除其余样本;最后将选取的样本进行合并,对SVM进行更新训练。利用KDDCUP99数据进行实验验证,并与SVM、批量支持向量机(Batch-SVM)、互检KKT条件的增量学习(K-ISVM)算法进行对比,结果表明,KS-ISVM具有良好的预测能力和样本淘汰能力,准确率达到90.3%,而SVM、Batch-SVM和K-ISVM三种方法准确率均在89%以下;同时还对并行KSISVM进程联合分析,发现单进程的分析时间由6 351 s降低到16进程的146 s,分析时间大大降低,说明了多进程的有效性,满足云计算环境中的入侵检测系统对效率和精度的要求。In view of overload, nonsupport of multi-computer conjunction analysis and maintenance of huge rule database in traditional Intrusion Detection System （IDS）, a new kind of cloud architecture IDS with Incremental Support Vector Machine （ISVM） algorithm based on KKT condition and hyper-sphere, namely KS-ISVM was proposed. The network data captured by client were preprocessed and sent to the cloud as samples. The KS-ISVM was used to analyze these samples in cloud. According to the KKT condition, the samples that violated the KKT condition were selected as useful samples, and the others that met the KKT condition were removed. In addition, in order to ensure that the removed samples were redundant, they were screened again by hyper-sphere, after that, the samples which met the hyper-sphere rule were regarded as useful samples, while the others were deleted. Finally, the SVM was trained and updated by merging those selected useful san：pies. Contrast experiments with SVM, Batch-SVM and Incremental SVM based on KKT （K-ISVM） were carried out on KDDCUP 99. The results show that KS-ISVM has good performance in prediction and selection of samples, its accuracy can reach 90.3%, but the accuracy of SVM, Bateh-SVM and K-ISVM are all below 89%. Through analyzing the parallel KS- ISVM processes, the analyzing time of the single process is 6351 s, while that of 16 processes is 146 s, which proves that the multi-process techniques is effiective, and it can meet the efficiency and accuracy requirements of IDS in cloud computing environment.

关 键 词：入侵检测系统 云架构 增量支持向量机 卡罗需-库恩-塔克条件 超球结构 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]