in Network Intrusion Detection
School of Telecommunication Engineering, Beijing University of Posts &
Telecommunications, Beijing, 100876
Abstract: In network security, an intrusion attempt is defined as the potential possibility of a deliberate unauthorized attempt to access information, manipulate information, or rendera system unusable. During the past decades, approaches for intrusion detections have been studied and improved. In this paper, Support Vector Machine (SVM) is adopted as a tool in anomaly intrusion detection. We use KDD Cup '99 dataset to build training data sets and testing data sets. The result of the experiments shows that SVM has a good ability in binary classification, multi-classificationand generalization.
Key words: network security, intrusion detection, support vector machine, Libsvm, KDD Cup '99, classification
With the rapid development of computer network and information technology, network security has become the focus attention of the public. Intrusion detection is considered one of the indispensable technologies in information security. We are facing aproblem of how to quickly and effectively detect the intrusions already known as well as the newly emerging ones. Conventional methods of intrusion detection bear the disadvantages of being inefficient and inaccurate. For guaranteeing the ideal classification accuracy, the detecting system has to depend on massive amounts of training data which inevitably makes it very time consuming. However, thedetection system must respond in real time and react quickly to those intrusions unknown. Support Vector Machine (SVM) is a learning method, building on statistic theory and Structural Risk Minimization Principle, used for classification and regression. The application of SVM in intrusion detection is able to achieve a better accuracy rate with much fewer training data samples.
Intrusion detection, in network security, aims to detect malicious actions that attempt to compromise the confidentiality, integrity, stability or availability of a resource. By collecting and analyzing the network behaviors, security log, audit data and other important information from the network and computer system, intrusion detection can trace down the unauthorized access and maliciousattempt. Generally speaking, the approaches for detection can be categorized as misuse detection and anomaly detection. Misuse detection is an approach in which we define abnormal system behaviors at first and regard those behaviors unknown as normal. This approach is not able to overcome its inability to recognize unknown attacks. Anomaly detection, on the other hand, recognizes normal systembehavior at first and considers the rest unknown as abnormal. Compared to misuse detection, anomaly detection is more potent in detecting novel attacks.
A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). It is designed to identify attacks against vulnerable services by crackers, network attacks, data driven attacks on applications, host based attacks,unauthorized logins, malwares and potential malicious attempts. Intrusion detection system can be either host based or network based. A hosted based IDS monitors all the activities on a single information system host which ensures that all the information security policies will be guaranteed and obeyed. A network based IDs monitors all the activities on the whole network. It detects potentialsecurity problems and violations by analyzing the signatures of the data packet collected from the traffic.
3. Support Vector Machine (SVM)
SVM (Support Vector Machine) is a useful technique for data classification. A classification task usually involves with training and testing data. The goal of SVM is to produce a model which predicts target value of data examples in the testing set which are...