基于聚类簇结构特性的自适应综合采样法在入侵检测中的应用  被引量：8

作　　者：刘金平 周嘉铭 刘先锋[1] 唐朝晖[2] 马天雨 LIU Jin-ping;ZHOU Jia-ming;LIU Xian-feng;TANG Zhao-hui;MA Tian-yu(Hunan Provincial Key Laboratory of Intelligent Computing and Language Information Processing,Hunan Normal University,Changsha 410081,China;School of Automation,Central South University,Changsha 410083,China)

机构地区：[1]湖南师范大学智能计算与语言信息处理湖南省重点实验室,长沙410081 [2]中南大学自动化学院,长沙410083

出　　处：《控制与决策》2021年第8期1920-1928,共9页Control and Decision

基　　金：国家自然科学基金项目(61971188);湖南省自然科学基金项目(2018JJ3349);湖南省教育厅优秀青年项目(19B364);湖南省知识产权战略推进专项项目(2019F012K);湖南省研究生科研创新项目(CX20190415)。

摘　　要：基于机器学习的网络入侵检测方法将恶意网络行为(入侵)检测转化为模式识别(分类)问题,因其适应性强、灵敏度高等优点,受到国内外广泛关注.然而,现有的模式分类器往往假设数据集的分布是均衡的,而真实的网络环境中,入侵行为要远少于正常访问,这给网络入侵行为检测带来巨大挑战.因此,提出一种基于聚类簇结构特性的综合采样法(CSbADASYN),通过挖掘少数类样本的内部结构对其进行自适应过采样,以获得样本分布结构特性保持的均衡数据样本,解决因数据不均衡带来的分类偏向.CSbADASYN先采用谱聚类方法对数据集中的少数类样本进行聚类分析,再根据所获得的聚类簇结构自适应插值,将获得样本分布结构保持的均衡样本用于分类器模型学习.在经典的NSL-KDD和KDD99数据集上进行大量的验证性和对比性实验,结果表明,CSbADASYN能使传统分类器模型在不均衡数据集上的分类性能得到明显提升.与传统的未经样本均衡处理和其他的带均衡处理的入侵检测方法相比,该方法能获得更低的误报率和漏报率.Machine learning-based network intrusion detection identifies malicious network behaviors(intrusions)via pattern recognition(classification)technologies,which has attracted extensive attention due to its strong adaptability and high sensitivity.Existing pattern classifiers generally assume that the distributions of data sets are roughly balanced.However,in a real network environment,the number of intrusions is much less than the number of normal accessing.In this paper,a cluster structure-based adaptive synthetic sampling approach(CSbADASYN)is proposed,where minority classes are adaptively interpolated by mining the internal structure of minority-class samples to obtain the distributed characteristics-preserved balance samples for the detector training.The CSbADASYN adopts the spectral clustering method to cluster the minority-class samples in advance.Then,it makes an adaptive interpolation operation based on the achieved clusters to obtain balanced samples with distribution preserving characteristics for the classifier model learning.Extensive verification and comparative experiments are carried out on classic NSL-KDD and KDD99 datasets.Experimental results show that the CSbADASYN can significantly improve the classification performance of traditional classifier models on unbalanced datasets.Compared with other intrusion detection methods with equalization processing,the CSbADASYN can achieve lower false positive rate and false negative rate.

关 键 词：网络入侵检测 不均衡数据处理 分布结构保持 谱聚类 自适应综合采样法 过采样 

分 类 号：TP273[自动化与计算机技术—检测技术与自动化装置]