As a primary defense technique, intrusion detection becomes more and more significant since the security of the networks is one of the most critical issues in the world. We present an adaptive collaboration intrusion detection method to improve the safety of a network. A self-adaptive and collaborative intrusion detection model is built by applying the Environments-classes, agents, roles, groups, and objects (E-CARGO) model. The objects, roles, agents, and groups are designed by using decision trees (DTs) and support vector machines (SVMs), and adaptive scheduling mechanisms are set up. The KDD CUP 1999 data set is used to verify the effectiveness of the method. The experimental results demonstrate the feasibility and efficiency of the proposed collaborative and adaptive intrusion detection method. Also, the proposed method is shown to be more predominant than the methods that use a set of single type support vector machine (SVM) in terms of detection precision rate and recall rate
There are two major categories [2] of SVMs for solving multi-class problems: 1) establishing a group of 2-class clas-sifiers and 2) establishing a multi-class classifier. The former has many types, including 1-v-r (one-versus-rest), 1-v-1 (one-versus-one), directed acyclic graph (DAG) SVM (large interval multi-class SVM classifier based on directed acyclic graph), the binary SVM, etc.
In this paper, a multi-class classifier of the 1-v-r type is used to perform the intrusion detection as a detector. It needs to establish many 2-class classifiers. After network packets are decomposed into four parts corresponding to the TCP, UDP, ICMP protocols, and content, a group of 2-class classifiers based on SVMs and DTs are built to detect intrusions. Four 2-class classifiers are created to implement such a detector for TCP protocol.
A network data stream can be decomposed into three sets: the TCP data, the UDP data, and the ICMP data. Four kinds of detector roles are designed and implemented, and they are used to detect TCP, UDP, ICMP, and content-based attacks, respectively.
According to the DT method, building these intrusion detectors includes two steps: modeling and testing. The preprocessed historical data (network data or experimental data) is decomposed into training data and testing data. The former (training data) is applied to produce the detection agents based on SVMs and DTs, and the latter (testing data) is used to assess these detection agents
Building a detection agent based on SVM needs to train and test it iteratively. After preprocessing, data is decomposed into four data sets corresponding to the network protocols TCP,UDP, ICMP, and content. Each data set is also divided into training and testing data.
Building a TCP detector is as follows. A group of SVM detectors is set up by using the training samples with the class label, i.e., four 2-class classifiers which are used to detect the normal data, the DoS/DDoS attacks, the probing attacks, and R2L or U2R attacks. In this paper, these detectors are all defined as roles in the E-CARGO model, and these roles re-quire agents to play. When SVMs are used to implement these agents, some support vectors and the homologous parameters in the model should be brought out and be produced.
INTRUSION detection is an important means to guarantee the safety of a network to avoid illegal operations that are launched by intruders (such as attackers and hackers) via authentication identification. An intrusion detection system (IDS) is the most significant tool to ensure the security of a network by analyzing the audit data and current state. There are many measures to protect a network system, however, most of the conventional methods are inefficient. Since some attacks are composed of a series of users’ operations, the users’ behavior should be analyzed to detect an intrusion.
With the explosive growth of transmission data and the wide application of high speed network, traditional intrusion detection methods are out of date and cannot meet the cur-rent requirements. Furthermore, an intrusion detection system should not affect the normal operation of a network system when it works, especially in the Big Data and high-speed network environment.
Support vector machines (SVMs) are a powerful tool for machine learning which is widely utilized in many appli-cations such as classification, intrusion detection, and pattern recognition. Since the current network is very complicated, an intrusion detection system needs to not only be an effective detection tool but also possess an adaptive mechanism. This work proposes an adaptive collaboration intrusion detection method and develops a corresponding intrusion detection model. The algorithms of SVMs and decision trees (DTs) are used in the model.
To build an effective and adaptive intrusion detection model, we introduce the environments-classes, agents, roles, groups, and objects (E-CARGO) model as a tool which helps us to design the detection system. Also, SVM classifiers and the DT algorithm are applied. Group role assignment is studied. Experiments on data set KDD CUP 1999 are done to illustrate the effectiveness and performance of the proposed method. The experimental results show that the proposed method can not only improve the accuracy of classification, but also save time and storage space.
In this paper, a collaborative and adaptive intrusion detection method based on 2-class SVMs and DTs is proposed. A detection model called CAIDM is created and implemented. The E-CARGO model is used as a tool for describing the intrusion detection and modeling. In this paper, roles, groups, and agents are all studied and applied, for instance, the response unit role, the suspicious event detection role, the generating suspicious event role, etc. A role is assigned to some agents. A group (SmallGroup) contains many agents that perform the same role.
TCP/IP protocols can be decomposed into four categories: TCP, UDP, ICMP, and application layer protocols. These protocols include different attributes. A vari-ety of intrusion detectors are designed and implemented. There are four types of SVM identification functions designed and implemented, and related agents are created. These agents built by using different properties are applied to find out attacks for TCP, UDP, ICMP, and application layer protocols, respectively. The TCP detection agent is used as one example to explain the agent creation process.