ACO and SVM Selection Feature Weighting of Network Intrusion Detection Method



Similar documents
Maintenance activities planning and grouping for complex structure systems

A Supplier Evaluation System for Automotive Industry According To Iso/Ts Requirements

A Latent Variable Pairwise Classification Model of a Clustering Ensemble

A Similarity Search Scheme over Encrypted Cloud Images based on Secure Transformation

Secure Network Coding with a Cost Criterion

Australian Bureau of Statistics Management of Business Providers

SELECTING THE SUITABLE ERP SYSTEM: A FUZZY AHP APPROACH. Ufuk Cebeci

Face Hallucination and Recognition

An Idiot s guide to Support vector machines (SVMs)

ONE of the most challenging problems addressed by the

Dynamic Pricing Trade Market for Shared Resources in IIU Federated Cloud

An Integrated Data Management Framework of Wireless Sensor Network

Multi-Robot Task Scheduling

A train dispatching model based on fuzzy passenger demand forecasting during holidays

A New Statistical Approach to Network Anomaly Detection

CERTIFICATE COURSE ON CLIMATE CHANGE AND SUSTAINABILITY. Course Offered By: Indian Environmental Society

Fixed income managers: evolution or revolution

Vendor Performance Measurement Using Fuzzy Logic Controller

Fast Robust Hashing. ) [7] will be re-mapped (and therefore discarded), due to the load-balancing property of hashing.

Teamwork. Abstract. 2.1 Overview

Normalization of Database Tables. Functional Dependency. Examples of Functional Dependencies: So Now what is Normalization? Transitive Dependencies

Simultaneous Routing and Power Allocation in CDMA Wireless Data Networks

CONTRIBUTION OF INTERNAL AUDITING IN THE VALUE OF A NURSING UNIT WITHIN THREE YEARS

Leakage detection in water pipe networks using a Bayesian probabilistic framework

ICAP CREDIT RISK SERVICES. Your Business Partner

Assessing Network Vulnerability Under Probabilistic Region Failure Model

Research on Risk of Supply Chain Finance of Small and Medium-Sized Enterprises Based on Fuzzy Ordinal Regression Support Vector Machine

Packet Classification with Network Traffic Statistics

Traffic classification-based spam filter

Protection Against Income Loss During the First 4 Months of Illness or Injury *

CUSTOM. Putting Your Benefits to Work. COMMUNICATIONS. Employee Communications Benefits Administration Benefits Outsourcing

Human Capital & Human Resources Certificate Programs

Ricoh Healthcare. Process Optimized. Healthcare Simplified.

Leadership & Management Certificate Programs

COMPARISON OF DIFFUSION MODELS IN ASTRONOMICAL OBJECT LOCALIZATION

Overview of Health and Safety in China

With the arrival of Java 2 Micro Edition (J2ME) and its industry

WHITE PAPER BEsT PRAcTIcEs: PusHIng ExcEl BEyond ITs limits WITH InfoRmATIon optimization

Integrating Risk into your Plant Lifecycle A next generation software architecture for risk based

Application-Aware Data Collection in Wireless Sensor Networks

Network/Communicational Vulnerability

Learning from evaluations Processes and instruments used by GIZ as a learning organisation and their contribution to interorganisational learning

LADDER SAFETY Table of Contents

A quantum model for the stock market

Enhanced continuous, real-time detection, alarming and analysis of partial discharge events

Sage Accounts Production Range

Life Contingencies Study Note for CAS Exam S. Tom Struppeck

Virtual trunk simulation

Comparison of Traditional and Open-Access Appointment Scheduling for Exponentially Distributed Service Time

FRAME BASED TEXTURE CLASSIFICATION BY CONSIDERING VARIOUS SPATIAL NEIGHBORHOODS. Karl Skretting and John Håkon Husøy

University of Southern California

Design of Follow-Up Experiments for Improving Model Discrimination and Parameter Estimation

Niagara Catholic. District School Board. High Performance. Support Program. Academic

Oracle Hyperion Tax Provision. User's Guide Release

History of Stars and Rain Education Institute for Autism (Stars and Rain)

AN APPROACH TO THE STANDARDISATION OF ACCIDENT AND INJURY REGISTRATION SYSTEMS (STAIRS) IN EUROPE

Management Accounting

PREFACE. Comptroller General of the United States. Page i

Spatio-Temporal Asynchronous Co-Occurrence Pattern for Big Climate Data towards Long-Lead Flood Prediction

Qualifications, professional development and probation

Risk Assessment Methods and Application in the Construction Projects

Chapter 1 Structural Mechanics

IT Governance Principles & Key Metrics

Load Balancing in Distributed Web Server Systems with Partial Document Replication *

STRATEGIC PLAN

Accreditation: Supporting the Delivery of Health and Social Care

Sentiment Analysis with Global Topics and Local Dependency

Software Quality - Getting Right Metrics, Getting Metrics Right

arxiv: v1 [cs.ai] 18 Jun 2015

Informatica PowerCenter

Let s get usable! Usability studies for indexes. Susan C. Olason. Study plan

Bite-Size Steps to ITIL Success

Hybrid Interface Solutions for next Generation Wireless Access Infrastructure

GREEN: An Active Queue Management Algorithm for a Self Managed Internet

The growth of online Internet services during the past decade has

Precise assessment of partial discharge in underground MV/HV power cables and terminations

Frequently Asked Questions

Chapter 2 Developing a Sustainable Supply Chain Strategy

Best Practices for Push & Pull Using Oracle Inventory Stock Locators. Introduction to Master Data and Master Data Management (MDM): Part 1

INDUSTRIAL AND COMMERCIAL

Pricing and Revenue Sharing Strategies for Internet Service Providers

3.3 SOFTWARE RISK MANAGEMENT (SRM)

THE IMPACT OF AN EXECUTIVE LEADERSHIP DEVELOPMENT PROGRAM

A Comparison of Software Packages for X-Ray Fluorescence Analysis of Silicates on Fusion Disks

ST. MARKS CONFERENCE FACILITY MARKET ANALYSIS

Order-to-Cash Processes

READING A CREDIT REPORT

SCHOOL OF BUSINESS MANAGEMENT Information Brochure 2014

MICROSOFT DYNAMICS CRM

Optimizing QoS-Aware Semantic Web Service Composition

Pricing Internet Services With Multiple Providers

Take me to your leader! Online Optimization of Distributed Storage Configurations

Creat-Poreen Power Electronics Co., Ltd

Chapter 3: e-business Integration Patterns

SPOTLIGHT. A year of transformation

Big Data projects and use cases. Claus Samuelsen IBM Analytics, Europe

Distribution of Income Sources of Recent Retirees: Findings From the New Beneficiary Survey

Oracle Project Financial Planning. User's Guide Release

Migrating and Managing Dynamic, Non-Textua Content

Sketch-based Network-wide Traffic Anomaly Detection

Transcription:

, pp. 129-270 http://dx.doi.org/10.14257/ijsia.2015.9.4.24 ACO and SVM Seection Feature Weighting of Network Intrusion Detection Method Wang Xingzhu Furong Coege Hunan, University of Arts and Science, Hunan Changde, 415000, China Wangxzhu@sina.com Abstract Feature seection and cassifier design is the key to network intrusion detection. In order to improve network intrusion detection rate for feature seection probem, this paper proposed a network intrusion detection method (ACO-FS -SVM) combining ant coony agorithm to seect the features with a feature weighting SVM. First, the use of support vector machine cassification accuracy and feature subset dimension construct a comprehensive fitness weighting index. Then use the ant coony agorithm for goba optimization and mutipe search capabiities to achieve optima soutions feature subset search feature. And then seected the key feature of network data and cacuated information gain access to various features weights and heavy weights to buid support vector machine cassifier based on the characteristics of network attacks right. At ast, refine the fina design of the oca search methods to make the feature seection resuts without redundant features whie improve the convergence resistance, and verify the data set by KDD1999 effectiveness of the agorithm. The resuts show that ACO-FS-SVM can effectivey reduce the dimension of features, and have improved network intrusion detection accuracy and detection speed. Keywords: Feature Seection, Feature Weighting, Ant Coony Optimization Agorithm, Support Vector Machines, Network Intrusion Detection 1. Introduction In recent years, the Internet scae growing, couped with its open, non-executives and undefended, the compex network intrusions, the number of intrusions and the growing degree of harm, network intrusion detection has been the focus of network security defense research[1]. With the rapid deveopment of information technoogy, government departments, research institutions, enterprises, business organizations dependence of information system is growing, and threats facing information security is aso increasing. Traditiona information security technoogy has been unabe to meet the requirements of modern information security. Information security situation assessment (information Security Situation Awareness, ISSA) came into being. On the basis of the integration of information security eements in macroscopic rea-time assess the security situation of information, and it can estimate the deveopment trend [2]. Network intrusion detection is a pattern recognition cassification probems, incuding feature seection, cassifier seection and optimization modues. Network data is very compex, with a high dimensiona feature. The feature set contains some redundant features and useess features, which wi increase the mode training time and computationa compexity, and have a negative impact intrusion detection resuts[3]. To this end, before network intrusion detection modeing, it often used the feature seection agorithm to seect beneficia feature subset of test resuts, in order to reduce the feature dimension. There are main sequence search agorithm, based on principa component ISSN: 1738-9976 IJSIA Copyright c 2015 SERSC

anaysis, genetic agorithms, partice swarm optimization and other feature seection method [3,4]. In addition to the feature subset seection, network intrusion detection resuts are aso cosey reated to the cassifier and parameter. The current network intrusion detection mode is mainy Bayesian networks, neura networks and support vector machines and other non-inear cassification agorithm[5,6]. Because the network intrusion detection is a arge sampe cassification probem, SVM training is sow for arge sampe, not conducive to rea-time and onine network intrusion detection. Neura network does not require prior knowedge, it can be non-inear, unimited approximation for the system, especiay radia basis function RBF(Radia Basis Function). Neura network has the advantages of simpe structure, fast earning, etc., which have been in network intrusion detection widey used[7]. In practica appications, RBF neura network cassification performance is cosey reated to its parameters. In order to obtain optima performance network intrusion detection mode, you need to seect the most adapted RBF neura network parameters[8]. In some network intrusion detection mode currenty proposed, many of which are features subset and RBF neura network parameters separatey. The seection sequence is not uncertain. So it usuay adopts randomy determined way, which is difficut to obtain the optima feature subset simutaneousy and RBF neura network parameters. To get the best effect of network intrusion detection, feature seection and RBF neura network parameters shoud be carried out simutaneousy. When the network intrusion modeing, feature seection and cassifier design are critica, which wi directy affect the network intrusion detection performance[9]. Since the origina network intrusion signature contains a number of redundant features and test resuts from the "reactive" noise characteristics. If they are directy input to the cassifier to earn, they have a negative impact on the rate of the attack detection, and the detection efficiency is reduced. So the need to choose the network intrusion detection resuts strongy reated key features to reduce the feature dimension [10]. Network Intrusion cassifier design is another important eement in addition to outside of feature seection. Cassifier wi affect the fina detection accuracy and computationa compexity. There are currenty used widey fisher inear discriminant (FLD), support vector machine (SVM) and neura network cassifiers[11-13]. SVM is a machine earning agorithm based on statistica earning theory and structura risk minimization principe. According to the imited sampe information in the mode, it can find the best compromise between compexity and earning abiity to gain better generaization abiity. Through mapping can sove earning probems of high-dimensiona space, with good generaization abiity to overcome oca minimum, the curse of dimensionaity and other issues. It becomes the major network detection agorithm[14-15]. The traditiona SVM agorithm assumes that a network intrusion feature have the same importance. But if the network data contains weak correation with intrusion detection and even reated features, it wi affect the network intrusion cassifier to some extent on the promotion abiity, resuting in ow precision study[16]. Feature weighting according to the different importance of the features, each feature gives a number [0,1] to indicate the importance of the feature, the more important features of the greater weight was given [17]. In order to increase network intrusion detection effect, the first ant coony optimization agorithm (ACO) to seect features. And then we use the information gain agorithm to cacuate the feature weight. Finay, a feature seection and weighted support vector machines (FS-SVM) network intrusion detection methods (ACO-FS-SVM) is proposed, which is on KDD CUP 99 data set to test the merits of the agorithm. The resuts show that, compared to other intrusion detection method, network intrusion detection rate and efficiency of ACO-FS-SVM has improved significanty. 260 Copyright c 2015 SERSC

2. ACO-FS-SVM Network Intrusion Detection Fow ACO-FS-SVM agorithm use wrapper feature to seect mode. It uses the automatic optimization capabiity ACO to goba search in the feature space, gets a different combination of features. According to the resuts of SVM cassification to determine the features of the combination of cassification performance, and constanty update the seected feature sets, unti the search resuts to obtain the best cassification feature combination. First extract the characteristics of network status information, and then send into the ACO-FS-SVM cassification feature seection modue to seect the best feature set for network intrusion detection. ACO-FS-SVM intrusion detection network fow mode is shown in Figure 1. Train set Data preprocessing Feature seection Ant coony agorithm feature seection Support vector machine Optima feature subset NO YES Test set Data preprocessing Network intrusion detection mode Intrusion Norma Figure 1. The Working Fow of ACO-FS-SVM Network Intrusion Detection Mode 3. ACO-FS-SVM Network Intrusion Detection Method Ant Coony Optimization (ACO) is a coective inteigence agorithms, simuated ants foraging information exchange and mutua cooperation, with positive feedback, goba search abiity and distributed computing, etc. The time of the proposed agorithm is athough ate, but deveoped rapidy. It has been widey used in soving the TSP, job-shop scheduing, network route(qos), knapsack and other aspects. And the simuation resuts show that ant coony agorithm has good resuts[18,19]. In network intrusion detection feature seection, the need for network intrusion detection features to be accessed as a pace of ants, which wi be converted feature optimization probem into a path search probem. A. The Fitness Function Estabishment Network intrusion feature seection incude two aspects: 1seect features subset to make the network attack detection accuracy rate higher. 2the feature dimension as far as Copyright c 2015 SERSC 261

possibe smaest. But in fact a contradiction between the two. In order to make the baance, this research of fitness function is defined as: d f ( s) Perror (1 ) (1) D Where, d is the dimension of feature seection subset s. D is the dimension of candidate feature set. Perror is cassification error rate. λ is the weighting coefficient of cassification error rate. The computationa formua of weighting coefficient λ is 100 (2) 100 Dx where, x presents the percentage of network intrusion detection reduced error rate when features increase one dimension(x%). B. Feature weighting SVM Use feature weighting kerne function constructed SVM, we ca feature weighting SVM. Weighting function is weighted for one feature. The kerne function kp is defined as T T k ( x, x ) k( x P, x P) (3) p i j i j P is caed feature weighting matrix, where Pii=ωi(1<i<n) means the weighting of ith feature. Generay speaking, ωi is not a equa. If an ωi=0, represents the kth feature has nothing to do with the output of the cassifier. T T xi P x jp k p ( xi, x j ) exp( ) 2 (4) T T (( xi x j ) PP ( xi x j )) exp( ) 2 Feature weighting support vector machine(fs-svm) agorithm is described as foows. 1 min T C i, b, 2 i1 (5) st.. T y ( ( x ) b) 1 i i i i 0, i1,2,, where, C>0 is a penaty parameter. FS-SVM can be described as a quadratic programming probem. In the case of ony the minimum required points, we can use the Lagrange mutipier method for soving minimum ωi: 1 T L(, i, b, i ) Ci 2 i1 (6) i1 T ( y ( ( x ) b) 1 ) i i i i where, i is agrange mutipiers. Partia derivative, b, respectivey, and make them equa 0. L i yi( xi ) 0 i0 L iyi 0 (7) b i0 L Csi i 0 i 2 262 Copyright c 2015 SERSC

Put formua(13) into formua(12), get the dua probem of formua(11): 1 min y y K( Px, Px ) a 2 st.. i1 i j i j i j j i1 j1 j1 y 0;0 C; i 1,2,, i i i Sove the dua probem to get optima decision function i1 (8) f ( x) sgn( i yik( Pxi, Px j ) b) (9) Network intrusion cassification FW-SVM agorithm is as foows: Step1: Coect network data training sampe set {(x1,y1),,(xi,yi)}, xi=(x1i,x2i,,xdi) is a d-dimensiona vector, yi (+1,-1), i=(1,,) Step2: Seect high-impact features by ACO. Step3: Cacuate weight vaue w of each feature method based on the information gain method, and construct its feature vector β=diag(β1,β2,,βn)t. Step4: Seect the appropriate penaty parameter C> 0, according to formua (14) constructed and soved quadratic programming optimization probem, obtain the optima soution for α=(α1,,α)t. Step5: αj(0<αj<c) is a component of the α. (xi,xj) is its corresponding sampe points. Cacuated b, construct optima cassification Hyperpane(ω x)+b=0, get network intrusion cassification decision function: f(x)=sgn((ω x)+b. C. Determination of ants state transition probabiity Feature is the nodes that each ant must go through. Each compete a cyce, an ant traverse a features. Each feature has a probabiity of seection, each of the ants through a feature node according to the seected characteristics of the probabiity to determine whether features are seected. Ants use feature seection probabiity, the greater the probabiity of seection feature, the greater the ikeihood of being seected. The probabiity of ants from feature i to j is: ij ( t) ij ( t), k j s tabu k p () t ( t) ( t) (10) ij is is 0 otherwise where, ij is inspiring factor determined by the intrusion detection accuracy. The arger is, the greater the ants move to feature j. () t is the pheromone from feature i to ij feature j at t time. Tabuk is the tabu ist of ant k. In the state transition probabiity, α represents the weighting of pheromone, and β represents the weighting of inspiration factor. According to reference [11], α in this study is a constant, β is determined by the formua (11). n 0 1 (11) Nmax Where, n is iterations. β 0 is the initia vaue of inspiration factor weighting. N max is the maximum iteration. ij Copyright c 2015 SERSC 263

D. Loca Refine the Search Process After k sub-set of ants important feature search, has got k important feature. In order to prevent some features of the network intrusion detection irreevant or redundant features retained in the feature subset, search for the optima feature uj in k feature to meet: F( S ) min S, i (12) where U is for any feature subset ui, denote Si=Sm ui {fn}. E. Update Pheromone in Path Ant coony agorithm is mainy done through information feedback mechanism. The pheromone update mechanism has two kinds: oca information and goba information. The goba information can speed up the search agorithm, to increase the goba optima feature probabiity. So each competed a search, each round of search path information concentration needs to be updated on every road, specific for k ij ( n1) ij ( n1) ij k k Q (13) ij Fs ( k ) Where, n is iterations. ρ is pheromones residua factor. k is the number of ants. F(s k ) is thefitness vaue. Q is the growth concentration of pheromone. From pheromone update rue can know that, the smaer the fitness function of features subset, the higher the pheromone concentration is. Then it wi attract more ants to the path search. To strengthen the impact of the optima path, for pheromone increase additiona incentive, namey: * Q ij ij (14) Fs ( ) where, F(s opt ) is the fitness function for optima feature subset in this round. The impact of ρ on the convergence of ant coony optimization agorithm is very obvious. The greater ρ is, the convergence is sow. but it is not easy to fa into oca optimum. ρ is smaer, the agorithm converges fast but easy to fa into oca optimum. In this study, based on references [8], ρ vaue is set to: n 0 1 (15) 3 Nmax where, ρ 0 is the initia vaue of information residua factor. F. The ants Search Termination Condition Under norma circumstances it is difficut to determine the dimensions of optima feature subset. The study of ants search termination conditions is 3 consecutive increasing features, F(s) does not happen too much change, said the current round of search termination. 4. Simuation Test A. Data Sources The experimenta data seected KDD CUP 99 data sets, and the data sets of data contained 41-dimensiona features, 34 numeric fieds and seven symboic fied. 41-dimensiona features can be divided into four parts: the basic features of TCP j i i opt 264 Copyright c 2015 SERSC

connections (1 ~ 9 No. features), content features of TC connections(10 to 22 No. features), network traffic statistics feature based on time(23 to 31 No. features), network traffic statistics feature based on host (32 to 41 No. features). The data set divided into four types of intrusions: Probe (scanning and detection), DoS (denia of service attack), U2R (unauthorized access to oca super user) and R2L (unauthorized remote access), see Tabe 1. In P4 dua-core 2.8G CPU, 1G RAM, Windows XP operating system for the simuation environment, using VC ++ 6.0 agorithm Tabe 1. The 41 Data Features of Network Connection Basic features Connections content features Network traffic statistics feature based on time Network traffic statistics feature based on host 1. duration C 10. hot C 23. count C 32. dst_host_count C 2. protoco_type D 11. num_faied_ogins C 24. serror_rate C 33. dst_host_srv_count C 3.service D 12. ogged_in D 25. rerror_rate C 34. dst_host_same_srv_rate C 4. src_bytes 13. num_compromised 26. same_srv_rate C 35. dst_host_diff_srv_rate C C 5. dst_bytes C 14. root_she D 27. diff_srv_rate C 36. dst_host_same_src_port_rate C 6. fagd 15. su_attempted D 28. srv_count C 37. dst_host_srv_diff_host_rate C 7. and D 16. num_root C 29. srv_serror_rate C 38. dst_host_serror_rate C 8. 17. num_fie_creations 30. srv_rerror_rate C 39. dst_host_srv_serror_rate C wrong_fragment C C 9. urgent C 18. num_shes C 31. srv_diff_host_rate C 40. dst_host_rerror_rate C 19. num_access_fies C 41. dst_host_srv_rerror_rate C 20. num_outbound_cmds C 21. is_hot_ogin D 22. is_guest_ogin D A. Resuts and Anaysis Performance comparison before and after feature seection (1) Because the origina data set is too arge, a sma portion of this was chosen as the experimenta data of the data set. The training set of randomy seected 5000 and 1000 test set, and they are normaized characteristics, reduced into [0, 1] range. (2) The training set is input to the SVM for training and test sets for testing. Feature seection before the intrusion detection resuts are obtained. (3) The training set is input to the SVM. Use ACO agorithm combining SVM feature to seect. Optima features as shown in Tabe 2. (4) According to the resuts of the step (3) feature seection for screening training set and testing set (5) The step (4) obtained the training set put into the SVM for training and test sets for testing, intrusion detection resut obtained after the feature seection. (6) Comparison the detection resut and the running time of step (2) and step (5). Copyright c 2015 SERSC 265

Tabe 2. ACO Feature Seection intrusion type feature subset probe 2,4,9,21,29,32,33,34,35 Dos 2,3,7,9,16,20,27,32,37,40 U2R 2,4,9,20,31,21,29,32,33,34,35 R2L 1,2,3,4,6,7,9,11,16,20,21,23,27 Norma 2,3,4,7,8,9,10,15,16,21,22,23, 25 Using 5 experiments to take the average of the test resuts. It can obtain intrusion detection rates before and after feature seection are shown in Tabe 3, the running time shown in Tabe 4. As apparent from Tabe 3, the average rate of intrusion detection after feature seection network increased by 3.10%. The resuts show, feature seection can be more accuratey depicts the network status change information, eiminated redundant and useess information. Intrusion detection performance of feature seection improved significanty. Tabe 3. Comparative the Average Rate of a Intrusion Detection before and after Feature Seection (%) Intrusion type Origina features After seection features Increasing vaue probe 89.76 93.27 3.51 Dos 92.71 95.49 2.78 U2R 87.8 92.53 4.73 R2L 87.48 90.85 3.37 Norma 92.12 93.25 1.13 Average vaue 89.97 93.07 3.10 From Tabe 4, the feature seection greaty reduced run-time network intrusion detection mode. It indicates that the network through ACO feature seection can be achieved by a number of key features, which eiminate unwanted features, reduce the number of SVM input dimension and computing time, speed up the detection speed. Network feature seection to meet rea-time requirements can be more network intrusion detection. Tabe 4. Comparison Running Time (ms) before and after Feature Seection Intrusion type Origina features After seection feature Reduction vaues Probe 32.00 23.88 8.12 DoS 23.51 17.99 5.52 U2R 7.78 4.99 2.79 R2L 5.27 3.84 1.43 Norma 10.55 6.89 3.66 266 Copyright c 2015 SERSC

权 值 权 值 权 值 权 值 Internationa Journa of Security and Its Appications Network intrusion performance comparison before and after feature weighting Firsty, use information gain method to cacuate the weight of each feature, the resuts shown in Figure 3. And then dea with the weight of the feature and buid weighted support vector machine cassifier network intrusion, get test resuts are shown in Tabe 5. 1 0.9 0.8 0.7 Weight 0.6 0.5 0.4 0.3 0.2 0.1 0 2 4 9 21 29 32 33 34 35 特 征 编 号 The feature seria number (a) The Probe feature subset weight distribution 1 0.8 Weight 0.6 0.4 0.2 0 2 3 7 9 16 20 27 32 37 40 特 征 编 号 The feature seria number (b) The DoS feature subset weight distribution 1 0.8 Weight 0.6 0.4 0.2 0 2 4 9 20 31 21 29 32 33 34 35 特 征 编 号 The feature seria number (c) The U2R feature subset weight distribution 1.00 0.80 Weight 0.60 0.40 0.20 0.00 1 2 3 4 6 7 9 11 16 20 21 23 27 特 征 编 号 The feature seria number (d) The R2L feature subset weight distribution Copyright c 2015 SERSC 267

权 值 Internationa Journa of Security and Its Appications 1.00 0.80 Weight 0.60 0.40 0.20 0.00 2 3 4 7 8 9 10 15 16 21 22 23 25 The feature 特 seria 征 编 号 number (e) The Norma feature subset weight distribution Figure 2. A Kinds of Invasion of the Feature Subset of Weight Distribution From Tabe 5, under the same experimenta conditions, the network intrusion detection methods ACO-FS-SVM, both in terms of time efficiency or network intrusion detection rates are higher than the origina SVM method. Intrusion detection reached for Norma of 99.13%, which was mainy due to the increased vaue of the cassification affect more significant characteristic quantities. The origina in the network data sampes near the cassification surface is miscassified been corrected, and the origina cassified correct network data sampe basicay did not happen change. Therefore, by the weighting network intrusion of a kinds of intrusion detection accuracy have varying degrees increase. Tabe 5. The Intrusion Detection Rate(%) Comparison before and after Weighting invasion type Before weighting (ACO- SVM) after weighting (ACO-FS-SVM) increasing vaue probe 93.27 98.46 5.19 Dos 95.49 97.09 1.6 U2R 92.53 98.68 6.15 R2L 90.85 98.56 7.71 Norma 93.25 99.13 5.88 average vaue 93.07 98.38 5.30 Because support vector (SV) can fuy characterize the training dataset, the division of the set of SV equivaent to the division of the entire training data set. In order to further iustrate the effectiveness and advantages of ACO-FS-SVM, further comparative anaysis of support vector set before and after the feature weighting, the resuts shown in Figure 3. 268 Copyright c 2015 SERSC

1000 800 915 855 600 578 加 权 前 加 权 后 400 200 255 200 120 0 The number of support vector Wrong points sampe number 支 持 向 量 数 BSV 错 分 样 本 数 Figure 3. Support Vector Set Comparison before and after Feature Weighted Figure 3 shows that after weighting, the tota number of support vectors dropped from 915 to 578. It indicates that ACO-FS-SVM generaization is better, border support vector (bounded support vector, BSV) number dropped from 855 to 255, decreased by70.17%. Wrong points sampe aso decined dramaticay. The resut showed that before weighting, the data sampes at the network boundary hyperpane are many. By weighting processing, significanty reducing the data sampes in the cassification of these networks poygon boundaries. It indicates that ACO -FS-SVM on feature weighted, can increase network intrusion detection. 5. Concusion For today's compex network robustness evauation mode ony consider the robustness of the network topoogy and the defect of oca effect of the faied node, so this paper proposes compex network function evauation agorithm based on node efficiency. The agorithm overa consider the goba infuence of node faiure, and use the efficiency of the node on network to define the oad of each node, Limit oad and faiure mode, with the rate of striking the utimate faiure nodes on network to measure the functionaity of the network, the resut of robustness experiment proofs: the agorithm is suitabe for assessing the robustness of arge-scae and sma-word network function, the compexity of agorithm time is O (n2). Acknowedgements This work was supported by.hunan Province Natura Science Foundation Project No. 14JJ2124. References [1] Andrew R,Peters G P, Lennox J. Approximation and regiona aggregation in muti-regiona input-output anaysis for nationa carbon footprint accounting. Economic Systems Research, 2009, 21 (3): 311-335. [2] Boyd J P,Fitzgerad W J,Mahutga M C,Smith D A. Computing continuous core/periphery structures for socia reations data with MINRES/SVD, Socia Networks, 2010, 32 (2): 125-137. [3] Dietzenbacher E. More on Mutipiers. Journa of Regiona Science, 2005, 45 (2): 421-426, [4] Houb H W,Schnab H. Quaitative input-output anaysis and structura information. Economic Modeing, 2012, 2(1): 67-73. [5] Houb H W? Tappeiner G. A genera quaitative technique for the comparison of economic structures. Quaity & Quantity, 2010, 22 (3): 293-310. Copyright c 2015 SERSC 269

[6] Kranich J. Aggomeration, vertica speciaization, and the strength of industria inkages. Papers in Regiona Science, 2011, 90 (1): 159-178. [7] Muhammad J. Mirza, Nadeem Anjum. Association of Moving Objects Across Visua Sensor Networks. Journa of Mutimedia, Vo 7, No 1 (2012) pp. 2-8 [8] Phakpoom T. Custering and Industria Deveopment: Evidence from Thaiand. Nagoya University, 2011. [9] Kwak S J,Yoo S H,Chang J I. The roe of the maritime industry in the Korean nationa economy: an input-output anaysis. Marine Poicy, 2011, 29(4): 371-383. [10] Labaj M. Quaitative input-output anaysis and nationa innovation system in Sovakia. Internationa Journa of Transitions and Innovation Systems, 2011, 1 (2): 105-116. [11] Lahr M L,Mesnard L D. Biproportiona Techniques in Input-Output Anaysis: Tabe Updating and Structura Anaysis. Economic Systems Research, 2009, 16 (2): 115-134. [12] Lee S,Yooka S H,Kimb Y. Centraity measure of compex networks using biased random waks. The European Physica Journa, 2010, 68 (2): 277-281. [13] Midmore P,Munday M,Roberts A. Assessing industry inkages using regiona input-output tabes. Regiona Studies, 2006, 40 (3): 329-343. [14] Muniz A S G,Raya A M,Carvaja C R. Core periphery vaued modes in input-output fied: A scope from network theory. Regiona Science, 2011, 90 (1): 111-121. [15] OosterhavenJ, Cardenoso F E. A new method to estimate input-output tabes by means of structura ags,tested on Spanish regions. Papers in Regiona Science, 2011, 90 (4): 829-844. [16] Roepke H,Adams D,Wiseman R. A new approach to the identification of industria compexes using input-output data. Journa of Regiona Science, 2000, 14 (1): 15-29 [17] S. Li, Y. Geng, J. He, K. Pahavan,Anaysis of Three-dimensiona Maximum Likeihood Agorithm for Capsue Endoscopy Locaization, 2012 5th Internationa Conference on Biomedica Engineering and Informatics (BMEI), Chongqing, China Oct. 2012 (page 721-725) [18] Y. Geng, J. He, H. Deng and K. Pahavan, Modeing the Effect of Human Body on TOA Ranging for Indoor Human Tracking with Wrist Mounted Sensor, 16th Internationa Symposium on Wireess Persona Mutimedia Communications (WPMC), Atantic City, NJ, Jun. 2013. [19] San C J R,Biezma M V. The mining industry in the European Union: Anaysis of inter-industry inkages using input-output anaysis. Resources Poicy, 2006, 31(1):1-6. [20] Sanchez C J, Duarte R. Production Chains and Linkage Indicators. Economic Systems Research, 2003, 15 (4): 481-494. Authors Wang Xingzhu, mae, was born in 1974, in Hunan province. He is an associate professor in Furong Coege Hunan, University of Arts and Science. His Main research area is network security. 270 Copyright c 2015 SERSC

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information