[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN112052450A - Intrusion detection method and device based on negative selection algorithm - Google Patents

Intrusion detection method and device based on negative selection algorithm Download PDF

Info

Publication number
CN112052450A
CN112052450A CN202010733504.XA CN202010733504A CN112052450A CN 112052450 A CN112052450 A CN 112052450A CN 202010733504 A CN202010733504 A CN 202010733504A CN 112052450 A CN112052450 A CN 112052450A
Authority
CN
China
Prior art keywords
detector
empty
data
empty grid
grid
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010733504.XA
Other languages
Chinese (zh)
Other versions
CN112052450B (en
Inventor
杨超
闻海洋
陈炳秋
程镇
骆傲然
李琲珺
贾琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hubei University
Original Assignee
Hubei University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hubei University filed Critical Hubei University
Priority to CN202010733504.XA priority Critical patent/CN112052450B/en
Publication of CN112052450A publication Critical patent/CN112052450A/en
Application granted granted Critical
Publication of CN112052450B publication Critical patent/CN112052450B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Evolutionary Computation (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Evolutionary Biology (AREA)
  • Burglar Alarm Systems (AREA)

Abstract

The invention provides an intrusion detection method and device based on a negative selection algorithm. The method comprises the steps of firstly, carrying out grid division on a characteristic space represented by a data set to form a plurality of equal-size grid objects. The purpose of the algorithm is to find out a non-self area covered by the detector as much as possible, and since the empty grid object does not contain self data and is equal to the non-self area, the empty grid object can be directly used as a candidate detector; for non-empty grid objects, a candidate detector is sequentially generated in each non-empty grid object by using a traditional algorithm so as to reduce the time cost of distance calculation and improve the generation efficiency of the detector, and the algorithm takes the expected coverage rate of the non-empty grid object area as a termination condition. Experimental results show that the efficiency and performance of the algorithm are obviously superior to those of a classical negative selection algorithm.

Description

Intrusion detection method and device based on negative selection algorithm
Technical Field
The invention relates to the technical field of network security, in particular to an intrusion detection method and device based on a negative selection algorithm.
Background
Intrusion Detection (Intrusion Detection) is the process of identifying features that attempt to breach the confidentiality, integrity, security, etc. of a computer or computer network. The essence of intrusion detection is that the key information of a computer host or a computer network is analyzed, the main characteristics are extracted, the corresponding comparison is carried out with the basic general computer mode, and then the intelligent judgment is carried out. Due to the importance of network security, foreign and domestic scholars try to apply algorithms in various fields to intrusion detection, and the common method comprises the following steps: a series of algorithms of an artificial immune system, an artificial neural network, a group intelligence algorithm, a support vector machine and the like.
The main intrusion detection problem solving method and the defects thereof at present are as follows:
(1) when the traditional intrusion detection technology is used for processing large-scale network data, the processing speed is low, the real-time performance is not high, effective characteristics cannot be effectively extracted from a large amount of data, and the detection efficiency is low.
(2) When the traditional intrusion detection technology faces a complex and changeable network environment, phenomena such as missing report, false report and the like often occur.
An ideal intrusion detection method should be able to accurately detect intrusion activity and respond quickly when intrusion activity is detected, these characteristics having a large similarity to the biological immune system. The artificial immune system is a bionic intelligent computing method which is inspired by the functions, principles and methods of a biological immune system and solves the problems in the field of computers. The artificial immune system designs an immune model and an immune algorithm by simulating the treatment mode of the biological immune system on external pathogens, and the research mainly focuses on aspects of immune recognition, immune learning, immune memory, clonal selection, immune network and the like, wherein a negative selection algorithm and a clonal selection algorithm in the immune recognition model are commonly used for solving the problem of intrusion detection.
The negative selection algorithm is widely applied to network intrusion detection, but the negative selection algorithm still has the problems of high false alarm rate, low accuracy, high detector set redundancy and the like when solving the intrusion detection problem. For example, ZHOU J et al proposed a variable radius real-valued negative selection algorithm (V-Detector), and for a randomly generated candidate Detector, the radius of the Detector was determined by calculating the distance of the self closest to the candidate Detector, although the Detector redundancy was reduced to some extent, the problem of "black holes" could not be effectively solved; LIU Z et al propose an improved subspace density search-based negative selection algorithm (SDS-RNSA), which obtains dense subspace regions of sample data through a subspace density search algorithm, and generates detectors in each subspace region to improve the efficiency and performance of the algorithm, but the false alarm rate in the detection process is slightly higher; CHEN W et al propose a negative selection algorithm (ASSC-NSA) based on antigen soft subspace clustering, which calculates each key feature and its weight of different kinds of antigens by using antigen soft subspace clustering, and then guides the detector generation through these key features to effectively reduce the detector redundancy, but the algorithm detector generation efficiency is not high.
The noun explains:
negative selection algorithm: the negative selection algorithm is a novel intelligent algorithm which is designed by being inspired by a thymic T cell generation mechanism in a biological immune system;
self (Self), the invention refers specifically to normal behavior in intrusion detection;
non-self (Nonself) the invention is particularly directed to intrusion behavior in intrusion detection;
mesh partitioning (Grid partition): the mesh division is a data preprocessing method, and divides a model to be processed into a plurality of small units to respectively execute desired operations so as to improve execution efficiency.
Disclosure of Invention
Aiming at the technical problems in the prior art, the invention provides a real-valued negative selection algorithm based on grid division, and the grid division method is applied to the detector generation stage of the negative selection algorithm, so that the generation efficiency and the detection rate of the detector are effectively improved.
The technical scheme for solving the technical problems is as follows:
an intrusion detection method based on a negative selection algorithm comprises the following steps:
carrying out grid division on a feature space where training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data comprises only autologous data;
constructing a detector set with an initial value of null, taking a region represented by an empty grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set;
sequentially generating a detector in each non-empty grid object by using a detector generation algorithm until the generation of the detectors in all the non-empty grid objects is finished;
and carrying out intrusion detection on data to be detected by using the detectors in the detector set.
The invention has the beneficial effects that: the invention provides a negative selection algorithm based on grid division, which is applied to intrusion detection. The method divides the characteristic space where the data set is located into grids to form a plurality of empty grid objects and non-empty grid objects with the same size, directly uses the empty grid object set as a detector, and sequentially generates candidate detectors in each grid object by using a traditional algorithm for the non-empty grid object set, so that the generation efficiency of the detector is improved. Compared with the traditional intrusion detection method based on the negative selection algorithm, the method has the following advantages:
(1) the invention applies the grid division method to the detector generation stage of the negative selection algorithm, thereby improving the generation efficiency of the detector, effectively solving the problem that the time cost of the detector training in the traditional negative selection algorithm increases exponentially along with the self number, and effectively improving the intrusion detection efficiency.
(2) The traditional intrusion detection method often generates missing reports and false reports, effectively reduces the false report rate in the intrusion detection process, and improves the detection rate in the detection process.
Further, the grid division of the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set includes:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-size grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
Figure BDA0002604165970000041
wherein, [ li,hi) And f is the interval range of the training set data in the ith dimension, and the number of segments divided in each dimension of the feature space.
Further, when the mesh is divided, firstly, each dimension of the feature space is divided into meshes according to the initially set number f of the division segments, and the non-empty mesh object is marked as NGThe number of non-empty mesh objects is denoted as num (N)G) If num (N)G) And if the division termination condition S is met, ending the division, otherwise, making f equal to f +1, and carrying out grid division on the feature space again until the division termination condition is met.
Further, the generating a detector in each non-empty mesh object in turn by using a detector generation algorithm until all detectors in the non-empty mesh objects are generated, includes:
s401, defining a detector repetition number counter m and a mature detector number counter t;
s402, selecting a grid object in a non-empty grid set, randomly generating a candidate detector a in a range represented by the grid object, and if the detector a is in a range represented by a mature detector, making m equal to m + 1;
s403, calculating a distance r between the candidate detector a and the nearest autologous data, if the distance between the candidate detector a and the nearest autologous data is larger than r, increasing t incrementally, making t equal to t +1, otherwise, eliminating a, and jumping to the step S402;
s404, when the expected coverage rate of the generation detector in the non-empty grid object is larger than or equal to the expected coverage rate p, the generation detector in the grid object is completed, whether the generation of the detector reaches the stop condition is judged by the following formula,
Figure BDA0002604165970000042
wherein p is the desired coverage, Q and ZaIs a condition control parameter in the above equation, Q is used to determine when to flush the calculator, Q is max (5/p,5/(1-p)), ZaIs a very small constant, is used to judge whether to continue to generate the detector, and the invention takes Za=0.001;
If the coverage (p, t, m) — 1, the counter is cleared, t ═ m ═ 0, and the process goes to step S402, if the coverage (p, t, m) > 0, the process goes directly to step S402, if the coverage (p, t, m) > 1, it means that the algorithm reaches the desired coverage, and the algorithm is terminated.
On the other hand, the invention also provides an intrusion detection device based on the negative selection algorithm, which comprises
The grid division module is used for carrying out grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set; the training set data comprises only autologous data;
the detector constructing module is used for constructing a detector set with an initial value of null, taking the area represented by the empty grid object as a non-self area, taking the range represented by the non-self area as a mature detector, and adding the mature detector into the detector set; the device is used for sequentially generating detectors in each non-empty grid object by using a detector generation algorithm until the detectors in all the non-empty grid objects are generated;
and the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set.
Drawings
Fig. 1 is a schematic structural diagram of an intrusion detection device based on a negative selection algorithm according to an embodiment of the present invention;
FIG. 2 is a diagram of a data distribution diagram before and after grid division on a two-dimensional training set; wherein, the white grid in fig. 3 is an empty grid object, the dark gray grid is a non-empty grid object, and the white circles in fig. 2 and 3 represent self-body data;
fig. 4 is a flowchart of an intrusion detection method according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
The invention aims to solve the intrusion detection problem by combining a negative selection algorithm with grid division. The conventional negative selection algorithm randomly generates candidate detectors to be matched with all autologous data and then removes invalid detectors (which identify autologous and repeated detectors), so that the generated detectors are redundant in a large amount and difficult to cover the comprehensive non-autologous area, and the detector generation efficiency of the process is low.
First, an embodiment of the present invention provides an intrusion detection device based on a negative selection algorithm, as shown in fig. 1, including:
the grid division module is used for carrying out grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set; the training set data comprises only autologous data;
the detector constructing module is used for constructing a detector set with an initial value of null, taking the area represented by the empty grid object as a non-self area, taking the range represented by the non-self area as a mature detector, and adding the mature detector into the detector set; the device is used for sequentially generating detectors in each non-empty grid object by using a detector generation algorithm until the detectors in all the non-empty grid objects are generated;
and the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set.
On the basis, aiming at the problem of low generation efficiency of the detector, the embodiment of the invention provides a negative selection algorithm based on grid division. The algorithm firstly carries out grid division on a characteristic space represented by a data set to form a plurality of equal-size grid objects. The purpose of the algorithm is to find out a non-self area covered by the detector as much as possible, and since the empty grid object does not contain self data and is equal to the non-self area, the empty grid object can be directly used as a candidate detector; for non-empty grid objects, a candidate detector is sequentially generated in each non-empty grid object by using a traditional algorithm so as to reduce the time cost of distance calculation and improve the generation efficiency of the detector, and the algorithm takes the expected coverage rate of the non-empty grid object area as a termination condition. Experimental results show that the efficiency and performance of the algorithm are obviously superior to those of a classical negative selection algorithm.
Specifically, the negative selection algorithm based on grid division is mainly divided into three parts: in the first part, in the mesh division stage, a characteristic space where self-body data is located is divided through a mesh division algorithm to obtain a non-empty mesh object set; a second part, namely, a step of generating a detector by using an empty grid, wherein a region represented by an empty grid object is used as a non-self region and is added into a detector set; and a third part, namely a non-empty grid generation detector stage, wherein a detector is sequentially generated in each non-empty grid object by using a detector generation algorithm until all detectors in the non-empty grid objects are completely generated.
Further, this embodiment adopts the following method to explain this technical solution in detail:
step 1, experimental data set and pretreatment
The KDDCup99 data set is extracted network flow intrusion detection data, is reference data in the network intrusion detection field, and lays a foundation for the research of network intrusion detection. The data set has 41 fixed characteristic attributes and 1 class identifier, the identifier is used to indicate that the connection record is Normal or a specific attack type, and the specific class identifier includes five classes of Normal, DOS, R2L, U2R and Probing. Because the data set is large and has a lot of repeated data, four subdata sets of the data set are selected for experiments (namely KDDTrain +, KDDTest, KDDTest + KDDTest-21). Before the experiment, Linear Discriminant Analysis (LDA) dimension reduction and normalization processing are carried out on the four subdata sets, and the basic information of the NSL-KDD data set is as follows:
data set Total amount of data Normal data Attack data Feature dimension
KDDTrain+ 125973 67343 58630 41
KDDTest 49403 15236 34167 41
KDDTest+ 22544 9711 12833 41
KDDTest-21 11850 2152 9698 41
Step 2, sample initialization and parameter initialization setting
In the invention, antigen represents various types of network flow data, including attack data and normal data, antibody represents a detector, the experiment takes the normal data of KDDTrain + data set as a training set, KDDTest +, KDDTest-21 as a test set, self radius r is set as the range represented by each training data in a characteristic space, n is the number of the training data sets, and termination condition S:
Figure BDA0002604165970000081
where c is a control parameter used to control the mesh density in each mesh object, in the present invention, 25 for KDDCup dataset c. The experimental parameters are set as follows:
data set Expected coverage rate Radius of self-body r Division terminating condition S
KDDTrain+ 99% 0.015 n/25
Step 3, grid division
Aiming at the intrusion detection problem, a grid division algorithm is used for dividing each dimension of a feature space where sample data is located into the same segment number, a plurality of grid objects with the same size are formed, and empty grid objects and non-empty grid objects are statistically divided. The grid length L is therefore:
Figure BDA0002604165970000082
wherein, [ li,hi) And f is the interval range of the sample data of the intrusion detection data set in the ith dimension, and f is the number of segments divided by each dimension of the feature space.
The data distribution before and after the division of the two-dimensional data set a is shown in fig. 2 and fig. 3.
Step 4, empty grid detector generation
And taking out the empty grid objects aiming at the grid objects divided in the last step, and directly adding the range represented by each empty grid object into a final detector set as a mature detector.
Step 5, generating candidate detectors by non-empty grids
One grid object in the non-empty grid object set is taken out, a candidate detector a is randomly generated in the range represented by the grid object, if a is in the range represented by the mature detector, a detector repetition number counter m is increased, and m is made to be m + 1.
Step 6, judging the validity of the candidate detector
And (3) calculating the distance r between the candidate detector a and the nearest normal data antigen, if a is not in the normal data radius range, incrementing the mature detector number counter t, making t equal to t +1, otherwise, rejecting a, and returning to the step 5.
Step 7, termination condition judgment
When the expected coverage rate of the generation detector in each non-empty mesh object is greater than or equal to the expected coverage rate p, the generation detector in the mesh object is completed, and the step 5 is skipped. And (4) judging termination conditions:
Figure BDA0002604165970000091
wherein p is the desired coverage, Q and ZaIs a condition control parameter in the above equation, Q is used to determine when to clear the calculator, Q ═ max (5/p, 5/(1-p)); zaIs a very small constant, is used to judge whether to continue to generate the detector, and the invention takes Za=0.001;
If the coverage (p, t, m) — 1, the counter is cleared, t ═ m ═ 0, and the process goes to step S402, if the coverage (p, t, m) > 0, the process goes directly to step S402, if the coverage (p, t, m) > 1, it means that the algorithm reaches the desired coverage, and the algorithm is terminated.
In the process of generating the detector, only the self data in the corresponding grid object need to be compared, so that the cost of distance calculation is reduced, and the time for generating the detector can be effectively reduced.
The negative selection algorithm flow based on grid division is shown in fig. 4:
step 8, experiment and analysis
The main purpose of the experiment of the invention is to verify whether the negative selection algorithm has the disadvantages described in the first section when applied to intrusion detection, and whether the negative selection algorithm based on grid division can specifically solve the disadvantages. To make the experimental results more accurate, the run times and detection rates on the three test sets were averaged over 20 experiments as shown in the table below:
Figure BDA0002604165970000092
Figure BDA0002604165970000101
as can be seen from the experimental results, the GP-RNSA provided by the invention has obviously improved running time compared with a V-Detector and an SDS-RNSA on three test sets. Meanwhile, the improved negative selection algorithm provided by the invention is similar to SDS-RNSA in detection rate, but is obviously higher than V-Detector. This is because after the meshing, most of the training set data is concentrated in a few mesh objects, and when the detector is generated, the algorithm directly takes an empty mesh object as the detector, and then generates the detector in a non-empty mesh object by using a conventional algorithm. Experimental results show that the improved clone selection algorithm provided by the invention has high efficiency and detection rate as a new method for solving intrusion detection.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (6)

1. An intrusion detection method based on a negative selection algorithm is characterized by comprising the following steps:
carrying out grid division on a feature space where training set data are located to obtain a non-empty grid object set and an empty grid object set; the training set data comprises only autologous data;
constructing a detector set with an initial value of null, taking a region represented by an empty grid object as a non-self region, taking a range represented by the non-self region as a mature detector, and adding the mature detector into the detector set;
sequentially generating a detector in each non-empty grid object by using a detector generation algorithm until the generation of the detectors in all the non-empty grid objects is finished;
and carrying out intrusion detection on data to be detected by using the detectors in the detector set.
2. The method according to claim 1, wherein the gridding the feature space in which the training set data is located to obtain a non-empty grid object set and an empty grid object set comprises:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-size grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
Figure FDA0002604165960000011
wherein, [ li,hi) And f is the interval range of the training set data in the ith dimension, and the number of segments divided in each dimension of the feature space.
3. The method according to claim 2, wherein in the mesh division, each dimension of the feature space is first mesh-divided according to an initially set number f of division segments, and a non-empty mesh object is marked as NGThe number of non-empty mesh objects is denoted as num (N)G) If num (N)G) If the division termination condition S is met, the division is finished, otherwise, if f is f +1, the grid division is carried out on the feature space again until the division termination condition is met; wherein
Figure FDA0002604165960000021
Where n is the number of training set data and c is a control parameter used to control the mesh density in each mesh object.
4. The method of claim 1, wherein the using a detector generation algorithm to generate detectors in each non-empty mesh object in turn until all detectors in the non-empty mesh object are generated comprises:
s401, defining a detector repetition number counter m and a mature detector number counter t;
s402, selecting a grid object in a non-empty grid set, randomly generating a candidate detector a in a range represented by the grid object, and if the detector a is in a range represented by a mature detector, increasing m;
s403, calculating a distance r between the candidate detector a and the nearest autologous data, if the distance between the candidate detector a and the nearest autologous data is larger than r, increasing t incrementally, making t equal to t +1, otherwise, eliminating a, and jumping to the step S402;
s404, when the expected coverage rate of the generation detector in the non-empty grid object is larger than or equal to the expected coverage rate p, the generation detector in the grid object is completed, whether the generation of the detector reaches the stop condition is judged by the following formula,
Figure FDA0002604165960000022
wherein p is the desired coverage, Q and ZaIs a control parameter; q is used to determine when to flush the calculator, Q ═ max (5/p, 5/(1-p)); zaIs a constant and is used to determine whether to continue to generate the detector.
If the coverage (p, t, m) — 1, the counter is cleared, t ═ m ═ 0, and the process goes to step S402, if the coverage (p, t, m) > 0, the process goes directly to step S402, if the coverage (p, t, m) > 1, it means that the algorithm reaches the desired coverage, and the algorithm is terminated.
5. An intrusion detection device based on a negative selection algorithm is characterized by comprising
The grid division module is used for carrying out grid division on the feature space where the training set data is located to obtain a non-empty grid object set and an empty grid object set; the training set data comprises only autologous data;
the detector constructing module is used for constructing a detector set with an initial value of null, taking the area represented by the empty grid object as a non-self area, taking the range represented by the non-self area as a mature detector, and adding the mature detector into the detector set; the device is used for sequentially generating detectors in each non-empty grid object by using a detector generation algorithm until the detectors in all the non-empty grid objects are generated;
and the detection module is used for carrying out intrusion detection on the data to be detected by using the detectors in the detector set.
6. The apparatus of claim 5, wherein the gridding the feature space in which the training set data is located to obtain a non-empty grid object set and an empty grid object set comprises:
dividing each dimension of a feature space where training set data are located into the same number of segments to form a plurality of equal-size grid objects, and statistically dividing an empty grid object set and a non-empty grid object set;
wherein the meshing length L is determined by:
Figure FDA0002604165960000031
wherein, [ li,hi) And f is the interval range of the training set data in the ith dimension, and the number of segments divided in each dimension of the feature space.
CN202010733504.XA 2020-07-27 2020-07-27 Intrusion detection method and device based on negative selection algorithm Active CN112052450B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010733504.XA CN112052450B (en) 2020-07-27 2020-07-27 Intrusion detection method and device based on negative selection algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010733504.XA CN112052450B (en) 2020-07-27 2020-07-27 Intrusion detection method and device based on negative selection algorithm

Publications (2)

Publication Number Publication Date
CN112052450A true CN112052450A (en) 2020-12-08
CN112052450B CN112052450B (en) 2024-02-02

Family

ID=73601949

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010733504.XA Active CN112052450B (en) 2020-07-27 2020-07-27 Intrusion detection method and device based on negative selection algorithm

Country Status (1)

Country Link
CN (1) CN112052450B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299691A (en) * 2008-06-13 2008-11-05 南京邮电大学 Method for detecting dynamic gridding instruction based on artificial immunity
CN101866402A (en) * 2010-05-31 2010-10-20 西安电子科技大学 Negation-selecting and intrusion-detecting method based on immune multi-object constraint
CN104504332A (en) * 2014-12-29 2015-04-08 南京大学 Negative selection intrusion detection method based on secondary mobile node strategy
US20170374091A1 (en) * 2016-06-27 2017-12-28 Research Foundation Of The City University Of New York Digital immune system for intrusion detection on data processing systems and networks
CN111107082A (en) * 2019-12-18 2020-05-05 哈尔滨理工大学 Immune intrusion detection method based on deep belief network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299691A (en) * 2008-06-13 2008-11-05 南京邮电大学 Method for detecting dynamic gridding instruction based on artificial immunity
CN101866402A (en) * 2010-05-31 2010-10-20 西安电子科技大学 Negation-selecting and intrusion-detecting method based on immune multi-object constraint
CN104504332A (en) * 2014-12-29 2015-04-08 南京大学 Negative selection intrusion detection method based on secondary mobile node strategy
US20170374091A1 (en) * 2016-06-27 2017-12-28 Research Foundation Of The City University Of New York Digital immune system for intrusion detection on data processing systems and networks
CN111107082A (en) * 2019-12-18 2020-05-05 哈尔滨理工大学 Immune intrusion detection method based on deep belief network

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
"Negative selection algorithm based on grid file of the feature space", KNOWLEDGE-BASED SYSTEMS, pages 26 - 35 *
CHAO YANG: "Negative Selection Algorithm Based on Antigen Density Clustering", IEEE ACCESS, vol. 8, pages 44967, XP011777602, DOI: 10.1109/ACCESS.2020.2976875 *
LIU H H: "Technique for Intrusion Detection Based on Dual Negative Splitting SelectionAlgorithm", FIRE CONTROL & COMMAND CONTROL *
NIKOLOVA E, JECHEVA V: "Some Similarity Coefficients and Application of Data Mining Techniques tothe Anomaly-based IDS", TELECOMMUNICATION SYSTEMS, pages 127 - 135 *
SAIFUL I S: "Network Intrusion Detection System Using Artificial Immune System", INTERNATIONAL CONFERENCE ON COMPUTER AND COMMUNICATION SYSTEMS *
WU RENJIE: "A Algorithm of Detectors Generating Based on Negative Selection Algorithm", FRONTIER COMPUTING, pages 133 - 139 *
伍海波;: "一种改进的否定选择算法在入侵检测中的应用", 计算机应用与软件, no. 02 *
张雄美;易昭湘;宋建社;李俊山;: "基于矩阵形式的否定选择算法研究", 电子与信息学报, no. 11 *
陈文;李涛;刘晓洁;张冰;: "一种基于自体集层次聚类的否定选择算法", 中国科学:信息科学, no. 05 *

Also Published As

Publication number Publication date
CN112052450B (en) 2024-02-02

Similar Documents

Publication Publication Date Title
Wang et al. An improved K-Means clustering algorithm
CN101968853B (en) Improved immune algorithm based expression recognition method for optimizing support vector machine parameters
Ayadi et al. BicFinder: a biclustering algorithm for microarray data analysis
CN107292330A (en) A kind of iterative label Noise Identification algorithm based on supervised learning and semi-supervised learning double-point information
CN110020712B (en) Optimized particle swarm BP network prediction method and system based on clustering
CN109657147A (en) Microblogging abnormal user detection method based on firefly and weighting extreme learning machine
Abrahantes et al. A solution to separation for clustered binary data
CN107132515A (en) A kind of point mark screening technique constrained based on multidimensional information
Cai et al. MiFI-Outlier: Minimal infrequent itemset-based outlier detection approach on uncertain data stream
Li et al. A review of machine learning algorithms for text classification
CN112491891B (en) Network attack detection method based on hybrid deep learning in Internet of things environment
Xiao et al. Dynamic graph computing: A method of finding companion vehicles from traffic streaming data
CN114548170B (en) Radar signal sorting method based on GPU-end fuzzy C-means clustering algorithm
Wang et al. An efficient algorithm for distributed outlier detection in large multi-dimensional datasets
Yu et al. Determining the best clustering number of K-means based on bootstrap sampling
He et al. A HK clustering algorithm based on ensemble learning
CN112052450B (en) Intrusion detection method and device based on negative selection algorithm
CN115208651B (en) Flow clustering anomaly detection method and system based on reverse habituation mechanism
Chao et al. Research on network intrusion detection technology based on dcgan
CN112738724B (en) Method, device, equipment and medium for accurately identifying regional target crowd
CN113205124B (en) Clustering method, system and storage medium based on density peak value under high-dimensional real scene
CN114298245A (en) Anomaly detection method and device, storage medium and computer equipment
Qin Software reliability prediction model based on PSO and SVM
Li et al. Compositional clustering: Applications to multi-label object recognition and speaker identification
Ji et al. Influence of embedded microprocessor wireless communication and computer vision in Wushu competition referees’ decision support

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant