METHOD AND SYSTEM FOR DETECTING INTRUSION IN PARALLEL BASED ON UNBALANCED DATA DEEP BELIEF NETWORK

Abstract

The disclosure discloses a method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network, which reads an unbalanced data set DS; under-samples the unbalanced data set using the improved NCR algorithm to reduce the ratio of the majority type samples and make the data distribution of the data set balanced; the improved differential evolution algorithm is used on the distributed memory computing platform Spark to optimize the parameters of the deep belief network model to obtain the optimal model parameters; extract the feature of data of the data set, and then classify the intrusion detection by the weighted nuclear extreme learning machine, and finally train multiple weighted nuclear extreme learning machines of different structures in parallel by multithreading as the base classifier, and establish a multi-classifier intrusion detection model based on adaptive weighted voting for detecting the intrusion in parallel.

Claims

1. A method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network (DBN), comprising: (1) obtaining an unbalanced data set, under-sampling the unbalanced data set using the Neighborhood Cleaning Rule algorithm, and clustering the under-sampled unbalanced data set using the Gravity-based Clustering Approach algorithm to obtain the clustered unbalanced data set; and (2) inputting the clustered unbalanced data obtained in step (1) into a trained Deep Belief Network model to extract a feature, inputting the extracted feature into multiple DBN-WKELM base classifiers in a trained DBN-WKELM multiclass classifier model to obtain multiple initial classification results, calculating a weight of each DBN-WKELM base classifier by the self-adaptive weighted voting method, and obtaining a final classification result and an intrusion behavioral type corresponding to the final classification result according to multiple weights and initial classification results.

2. The method for detecting the intrusion in parallel according to claim 1, wherein step (1) comprises: (1-1) obtaining an unbalanced data set DS; (1-2) obtaining a sample point x and nearest neighbor data D.sub.k of the sample point x from the unbalanced data set DS obtained in step (1-1); wherein k represents a nearest neighbor parameter; (1-3) obtaining a set N.sub.k formed by all samples which have different type with the sample point x in the k-nearest neighbor data D.sub.k obtained in step (1-2) and a sample number num of the set N.sub.k; (1-4) determining whether the sample number num obtained in step (1-3) is greater than or equal to k−1, proceeding to step (1-5) if yes, and otherwise, proceeding to step (1-6); (1-5) determining whether the type of the sample point x is a majority sample, updating the unbalanced data set DS to DS=DS−x and then proceeding to step (1-6) if yes, and otherwise, updating the unbalanced data set DS to DS=DS-N.sub.k and then proceeding to step (1-6); (1-6) repeating the above steps (1-2) to (1-5) for the remaining sample points in the unbalanced data set DS until all the sample points in the unbalanced data set DS has been processed, thereby obtaining the updated unbalanced data set DS; (1-7) setting a counter i=1; (1-8) determining whether i is equal to a total number of the sample points in the unbalanced data set DS, proceeding to step (1-14) if yes, and otherwise, proceeding to step (1-9); (1-9) reading the i-th new sample point d.sub.i=(d.sub.1.sup.i, d.sub.2.sup.i, . . . , d.sub.n.sup.i) from the unbalanced data set DS updated in step (1-6), determining whether a cluster set S of preferred setting is empty, proceeding to step (1-10) if yes, and otherwise, proceeding to step (1-11); wherein e2∈[1, n], d.sub.e2.sup.i represents the e2-th feature attribute value in the i-th sample; (1-10) initialing a sample point d.sub.i as a new cluster C.sub.new={d.sub.i}, setting a centroid μ to d.sub.i, adding the C.sub.new into the cluster set S, and proceeding to step (1-13); (1-11) calculating a gravitation for d.sub.i of each cluster in the cluster set S to obtain a gravitation set G={g.sub.1, g.sub.2, . . . , g.sub.ng}, and obtaining a maximum gravitation g.sub.max and its corresponding cluster C.sub.max from the gravitation set G, wherein n.sub.g represents a total number of the clusters in the cluster set S; (1-12) determining whether the maximum gravitation g.sub.max is less than a determined threshold r, returning to step (1-10) if yes, and otherwise, merging the sample point d.sub.i into the cluster C.sub.max, updating a centroid μ.sub.max of the cluster C.sub.max which has merged the sample point d.sub.i, and then proceeding to step (1-13); (1-13) setting the counter to i=i+1, and returning to step (1-8); and (1-14) traversing all the clusters in the cluster set S, and determining whether the types of all the sample points in each cluster is a majority sample, saving the majority samples in the cluster randomly according to a sampling rate sr and repeating the traversing process for the remaining clusters if yes, and otherwise, repeating the traversing process for the remaining clusters.

3. The method for detecting the intrusion in parallel according to claim 1, wherein the gravitation g between the sample points d.sub.i and the clusters C is calculated according to the following formula: $g = \frac{\ln (\ln (C_{num} + 1)) .Math. \ln (\ln 2)}{{(\frac{1}{n} {.Math.}_{ϵ 2 = 1}^{n} .Math. d_{ϵ 2}^{i} - μ_{ε 2} .Math.)}^{2}};$ wherein C.sub.num is a number of the sample points in the cluster C, and μ.sub.e2 represents the e2-th feature attribute value in the centroid μ of the cluster C; a formula for updating a centroid μ.sub.max of a cluster C.sub.max is as follows: $μ_{\max} = \frac{1}{C_{maxn}} {.Math.}_{p = 1}^{C_{maxn}} d_{p};$ wherein C.sub.maxn is a number of the sample points in the cluster C.sub.max which has merged the sample point d.sub.i, d.sub.p is the p-th sample point in the cluster C.sub.max which has merged the sample point d.sub.i, and p∈[1, C.sub.maxn].

4. The method for detecting the intrusion in parallel according to claim 1, wherein the DBN model is trained by the steps: (2-1) obtaining a DBN model, and optimizing the DBN model in a distributed memory computing platform using the improved differential evolution algorithm to obtain an optimized DBN model; and (2-2) training the DBN model optimized in step (2-1) to obtain a trained DBN model.

5. The method for detecting the intrusion in parallel according to claim 4, wherein step (2-1) comprises: (2-1-1) obtaining a DBN model W.sub.dbn={W.sub.1, W.sub.2, . . . , W.sub.dep}; wherein dep represents a total number of hidden layers in the DBN model, W.sub.di represents a neuron number of the d.sub.i-th hidden layer in the DBN model, and d.sub.i∈[1, 3]; (2-1-2) generating an initial population with a population scale of n.sub.ps structural vectors randomly, selecting one of the structural vectors randomly as the global optimal solution x.sub.best of the initial population from the initial population, writing the initial population into the Hadoop Distributed File System (HDFS) in the form of files, and setting a counter cnt=1; (2-1-3) determining whether cnt is equal to a maximum iteration number Tor the global optimal solution x.sub.best is converged, outputting the global optimal solution, and causing the process to end if yes, and otherwise, proceeding to step (2-4); (2-1-4) determining whether cnt is 1, reading the file written in the HDFS in step (2-1-2) from the HDFS, dividing the file written in the HDFS in step (2-1-2) into n.sub.pa input slices, and then proceeding to step (2-1-5) if yes, and otherwise, reading the updated file from the HDFS, dividing the updated file into n.sub.pa input slices, and then proceeding to step (2-1-5); wherein each input slice includes a sub-population; (2-1-5) obtaining the j-th individual x.sub.cnt.sup.j={W.sub.cnt,j.sup.1, W.sub.cnt,j.sup.2, . . . , W.sub.cnt,j.sup.dep}, of the cnt-th generation in the sub-population as the neuron number in the DBN model for each sub-population obtained in step (2-1-4), obtaining a classification result of n.sub.t classification points according to the corresponding DBN model. calculating a classification error CE of the DBN model according to the classification result, and using the classification error CE as an adaptability value f(x.sub.cnt.sup.j) of the j-th individual of the cnt-th generation in the sub-population; wherein j∈[1, the total number of the individual of the cnt-th generation in the sub-population], and W.sub.cnt,j.sup.dep represents the dep-th element of the j-th individual of the cnt-th generation in the sub-population; (2-1-6) obtaining an adaptability value set F={f(x.sub.cnt.sup.1), f(x.sub.cnt.sup.2), . . . , f(x.sub.cnt.sup.sn)} consisted of the adaptability value for all individuals of the cnt-th generation in the sub-population for each sub-population obtained in step (2-1-4), sorting all the adaptability value in the adaptability value set in ascending order to obtain a new adaptability value set {acute over (F)}={{acute over (f)}(x.sub.cnt.sup.1), {acute over (f)}(x.sub.cnt.sup.2), . . . , {acute over (f)}(x.sub.cnt.sup.sn)}, using an individual corresponding to the minimum adaptability value in the new adaptability value set F as the optimal solution for the sub-population, and the minimum adaptability value as the best adaptability value for the sub-population; wherein sn is a total number of the adaptability value in the adaptability value set F; (2-1-7) selecting the minimum value as the overall best adaptability value from the best adaptability value of all the sub-populations, and updating the global optimal solution x.sub.best to an individual corresponding to the overall best adaptability value; (2-1-8) obtaining two individuals x.sub.cnt.sup.1 and x.sub.cnt.sup.2 with the minimum adaptability value to form a set E.sub.cnt={x.sub.cnt.sup.1, x.sub.cnt.sup.2} for the adaptability set F obtained in step (2-1-6), and causing the remaining individuals in the adaptability set F to form a set I.sub.cnt={x.sub.cnt.sup.3, . . . , x.sub.cnt.sup.sn}; (2-1-9) generating a self-adaptive mutated individual {right arrow over (w.sub.cnt.sup.j)} according to the {right arrow over (j)}-th target individual {right arrow over (x.sub.cnt.sup.j)} in the set I.sub.cnt obtained in step (2-1-8); wherein {right arrow over (j)}∈[3, sn]; (2-1-10) performing a crossover operation on the self-adaptive mutated individual {right arrow over (w.sub.cnt.sup.j)} obtained in step (2-1-9) and the {right arrow over (j)}-th target individual {right arrow over (x.sub.cnt.sup.j)} in the set I.sub.cnt obtained in step (2-1-8) to generate experimental individual {right arrow over (u.sub.cnt.sup.j)}={u.sub.cnt,{right arrow over (j)}.sup.1, u.sub.cnt,{right arrow over (j)}.sup.2, . . . , u.sub.cnt,{right arrow over (j)}.sup.D}; (2-1-11) obtaining an adaptability value f({right arrow over (x.sub.cnt.sup.j)}) corresponding to the experimental individual {right arrow over (u.sub.cnt.sup.j)} obtained in step (2-1-10) and an adaptability value f({right arrow over (u.sub.cnt.sup.j)}) corresponding to the target individual {right arrow over (x.sub.cnt.sup.j)} obtained in step (2-1-9), using a smaller adaptability value to replace the corresponding individual in the set I.sub.cnt, and adding the individual of the set E.sub.cnt obtained in step (2-8) to I.sub.cnt, thereby obtaining a updated set I.sub.cnt; and (2-1-12) setting the counter to cnt=cnt+1, saving the updated set I.sub.cnt on the HDFS, and returning to step (2-1-3).

6. The method for detecting the intrusion in parallel according to claim 5, wherein the classification error is obtained by a formula as follows: $CE = \frac{1}{n_{t}} {.Math.}_{i_{t} = 1}^{n_{t}} .Math. Y_{i_{t}} - Y_{i_{t}}^{'} .Math.$ wherein Y.sub.i.sub.t is a real result, Ý.sub.i.sub.t is a classification result, n.sub.t is a number of the classification points; a formula for generating the self-adaptive mutated individual is as follows:
{right arrow over (w.sub.cnt.sup.j)}={right arrow over (x.sub.cnt.sup.j.sup.1)}+F.sub.c({right arrow over (x.sub.cnt.sup.j.sup.2)}−{right arrow over (x.sub.cnt.sup.j.sup.3)}) wherein {right arrow over (j.sub.1)}, {right arrow over (j.sub.2)}, and {right arrow over (j.sub.3)}: ∈[3, sn], these three are different from each other and not equal to {right arrow over (j)}, and F.sub.c is a self-adaptive mutation factor; a formula for calculating the self-adaptive mutation factor F.sub.c is as follows: $F_{c} = f \cos (\frac{π}{2} \times \frac{2 (T - cnt)}{T})$ wherein f is an initial mutation factor; a formula for generating the experimental individual is as follows: $u_{cnt, \overset{.Math.}{j}}^{h} = {\begin{matrix} w_{cnt, \overset{.Math.}{j}}^{h} & r and \leq CR or h = randn \\ x_{cnt, \overset{.Math.}{j}}^{h} & r and > CR or h \neq randn \end{matrix}$ wherein randn is a random integer generated randomly from {1, 2, . . . , D}, rand is a uniformly distributed random real number within [0, 1], CR is a crossover factor, and D is an individual genetic dimension; h∈[1, D].

7. The method for detecting the intrusion in parallel according to claim 4, wherein step (2-2) comprises: (2-2-1) dividing the unbalanced data set clustered in step (1) into a training set and a test set according to a ratio of 6:4; (2-2-2) setting a counter cnt2=1; (2-2-3) setting an initial state of an input layer of the DBN model optimized in step (2) as a training sample of the training set according to the training set obtained in step (2-2-1), constructing the input layer and the first hidden layer of the DBN model as the Restricted Boltzmann Machine (RBM) network, and initializing a weight W, an offset a of the input layer, and an offset b of the first hidden layer between the input layer and the first hidden layer of the RBM network; (2-2-4) determining whether cnt2 is equal to 3, causing the process to end if yes, and otherwise, proceeding to step (2-2-5); (2-2-5) updating the input value of the RBM network, the weight W, the offset a of the input layer, and the offset b of the cnt2-th hidden layer between the input layer and the cnt2-th hidden layer of the RBM network using the Contrastive Divergence (CD) algorithm; (2-2-6) performing the iterative training on the RBM network updated in step (2-2-6) until a reconstruction error of the RBM network reaches the minimum, thereby obtaining an RBM model after overall iterative training; adding the (cnt2+1)-th hidden layer of the DBM model optimized in step (2) into the RBM network after overall iterative training to construct a new RBM network, and updating the weight W between the input layer and the (cnt2+1)-th hidden layer of the new DBM network to a weight output by the RBM network after overall iterative training; updating the offset a of the input layer and the offset b of the (cnt2+1)-th hidden layer respectively to an offset output by the RBM network after overall iterative training, and using an output value of the RBM network after overall iterative training as an input value for the new RBM network; and (2-2-7) setting the counter to cnt2=cnt2+1, and returning to step (2-2-4).

8. The method for detecting the intrusion in parallel according to claim 1, wherein the DBN-WKELM multiclass classifier model is trained by the following process: obtaining a trained DBN model, starting four sub-threads, and setting an output value of the trained DBN model to an input value X.sub.in of the WKELM hidden layer in each sub-thread; obtaining a cost-sensitive matrix W.sub.cs by weighting the input value X.sub.in; obtaining an output weight β of the WKELM hidden layer according to the cost-sensitive matrix W.sub.cs, and obtaining the DBN-WKELM base classifier based on feature extraction of the DBN based on the output weight β; wherein the trained DBN-WKELM multiclass classifier model is consisted of the four DBN feature extraction based DBN-WKELM base classifiers.

9. The method for detecting the intrusion in parallel according to claim 8, wherein a formula for the output weight β of the WKELM hidden layer is: $β = {(\frac{1}{C_{r}} W_{cs}^{- 1} + Ω)}^{- 1} T_{l}$ wherein C.sub.r is a regularization coefficient, Ω is a kernel matrix corresponding to a kernel function F.sub.k of the WKELM base classifier, and T.sub.i is a data label corresponding to the input value X.sub.in; a formula for calculating a weight of a self-adaptive weighted voting method is as follows: $W_{q} = \frac{x_{ac}^{q} - x_{fp}^{q}}{{.Math.}_{q = 1}^{m} (x_{ac}^{q} - x_{fp}^{q})}$ wherein W.sub.q is a voting weight of the q-th DBN-WKELM base classifier in the DBN-WKELM multiclass classifier model, x.sub.ac.sup.q is a classification accuracy of the q-th DBN-WKELM base classifier, x.sub.fp.sup.q is a classification false-positive rate of the q-th DBN-WKELM base classifier, and q∈[1, m]; and a formula for calculating the classification accuracy and false-positive rate of the q-th DBN-WKELM base classifier is as follows: $x_{ac}^{q} = \frac{n_{c}^{q}}{N_{s}^{q}}, x_{fp}^{q} = \frac{n_{f}^{q}}{N_{c}^{q}}$ wherein n.sub.c.sup.q is a number of the samples classified correctly in the q-th DBN-WKELM base classifier, N.sub.s.sup.q is a total number of samples in the q-th DBN-WKELM base classifier, n.sub.f.sup.q is a number of normal samples mistaken regarded as intrusion in the q-th DBN-WKELM base classifier, and N.sub.c.sup.q is a total number of normal samples in the q-th DBN-WKELM base classifier.

10. A system for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network (DBN), comprising: a first module, configured to obtain an unbalanced data set, under-sample the unbalanced data set using the Neighborhood Cleaning Rule algorithm, and cluster the under-sampled unbalanced data set using the Gravity-based Clustering Approach algorithm to obtain the clustered unbalanced data set; and a second module, configured to input the clustered unbalanced data obtained in the first module into a trained Deep Belief Network model to extract a feature, input the extracted feature into multiple DBN-WKELM base classifiers in a trained DBN-WKELM multiclass classifier model to obtain multiple initial classification results, calculate a weight of each DBN-WKELM base classifier by the self-adaptive weighted voting method, and obtain a final classification result and an intrusion behavioral type corresponding to the final classification result according to multiple weights and initial classification results.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0075] FIG. 1 is a flow diagram of a method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network according to the present disclosure.

DETAILED DESCRIPTION

[0076] In order to make the purpose, technical solution and advantages of the present disclosure clearer, the present disclosure will be described in further detail in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used for explaining the present disclosure, rather than limiting the present disclosure. In addition, the technical feature involved in the various embodiments of the present disclosure described below can be combined with each other as long as no contradiction between occurs.

[0077] As shown in FIG. 1, a method for detecting an intrusion in parallel based on an unbalanced data Deep Belief Network provided by the present disclosure includes the following steps:

[0078] (1) an unbalanced data set is obtained: the unbalanced data set is under-sampled using the Neighborhood Cleaning Rule (NCL) algorithm, and the under-sampled unbalanced data set is clustered using the Gravity-based Clustering Approach (GCA) algorithm to obtain the clustered unbalanced data set.

[0079] In the present embodiment, the unbalanced data set is the KDDCUJP99 intrucsion detection data set.

[0080] The present step specifically includes the following sub-steps:

[0081] (1-1) an unbalanced data set DS is obtained;

[0082] (1-2) a sample point x and nearest neighbor data De of the sample point x are obtained from the unbalanced data set DS obtained in step (1-1).

[0083] Specifically, the nearest neighbor parameter k ranges from 5 to 10, preferably 7.

[0084] Typically, the Euclidean distance is used to determine whether that two samples are k-nearest neighbor. Assuming that a sample point x.sub.k1=(x.sub.1.sup.k1, x.sub.2.sup.k1, . . . , x.sub.n.sup.k1), x.sub.k2=(x.sub.1.sup.k2, x.sub.2.sup.k2, . . . , x.sub.n.sup.k2). belongs to n-dimensional space R.sup.n, where n is an arbitrary natural number, k1 and k2∈[1, a total number of the sample points in the unbalanced data set], x.sub.e1.sup.k1 represents the e1-th feature attribute value in the k1-th sample point, e1∈[1, a total number of the feature attributes in the k1-th sample point]. Then the Euclidean distance between the sample points x.sub.k1 and x.sub.k2 is defined as:

d(x.sub.k1,x.sub.k2)=√{square root over (Σ.sub.n1=1.sup.n(x.sub.e1.sup.k1−x.sub.e1.sup.k2).sup.2)}.

[0085] (1-3) a set N.sub.k formed by all samples which have different type with the sample point x in the k-nearest neighbor data D.sub.k obtained in step (1-2) and a sample number num of the set N.sub.k are obtained.

[0086] Specifically, the sample point type includes a majority sample and a minority sample. For the KDDCUP99 intrusion detection data set, the majority sample refers to Normal, Detect and Probe, and Denial of service (Dos) behavioral. The minority sample refers to User to Root (U2R) and Remote to Local (R2L) behavioral. The behavioral other than the normal behavioral are considered intrusion behavioral type.

[0087] (1-4) whether the sample number num obtained in step (1-3) is greater than or equal to k−1 is determined; if yes, proceeding to step (1-5); otherwise, proceeding to step (1-6).

[0088] (1-5) whether the type of the sample point x is a majority sample is determined; if yes, the unbalanced data set DS is updated to DS=DS−x, then proceeding to step (1-6); otherwise the unbalanced data set DS is updated to DS=DS−N.sub.k, then proceeding to step (1-6).

[0089] (1-6) the above steps (1-2) to (1-5) are repeated for the remaining sample points in the unbalanced data set DS until all the sample points in the unbalanced data set DS has been processed, thereby obtaining the updated unbalanced data set DS.

[0090] (1-7) a counter i=1 is set.

[0091] (1-8) whether i is equal to a total number of the sample points in the unbalanced data set DS is determined; if yes, proceeding to step (1-14); otherwise, proceeding to step (1-9).

[0092] (1-9) the i-th new sample point d.sub.i=(d.sub.1.sup.i, d.sub.2.sup.i, . . . , d.sub.n.sup.i) is read from the unbalanced data set DS updated in step (1-6), where d.sub.e2.sup.i represents the e2-th feature attribute value in the i-th sample; whether a cluster set S of preferred setting is empty id determined; if yes, proceeding to step (1-10); otherwise, proceeding to step (1-11), where e2∈[1, n].

[0093] (1-10) a sample point d.sub.i is initialized as a new cluster C.sub.new={d.sub.i}, a centroid μ is set to d.sub.i, the C.sub.new is added into the cluster set S, and proceeding to step (1-13).

[0094] (1-11) a gravitation for d.sub.i of each cluster in the cluster set S is calculated to obtain a gravitation set G={g.sub.1, g.sub.2, . . . , g.sub.ng}, and a maximum gravitation g.sub.max and its corresponding cluster C.sub.max is obtained from the gravitation set G, where n.sub.g represents a total number of the clusters in the cluster set S.

[0095] The gravitation g between the sample points d and the clusters C is calculated according to the following formula:

[00009] $g = \frac{\ln (\ln (C_{num} + 1)) .Math. \ln (\ln 2)}{{(\frac{1}{n} {.Math.}_{e 2 = 1}^{n} .Math. d_{e 2}^{i} - μ_{e 2} .Math.)}^{2}}$

[0096] where C.sub.num is a number of the sample points in the cluster C, μ.sub.e2 represents the e2-th feature attribute value in the centroid μ of the cluster C.

[0097] (1-12) whether the maximum gravitation g.sub.max is less than a determined threshold r is determined; if yes, step (1-10) is returned to; otherwise the sample point d.sub.i is merged into the cluster C.sub.max, and a centroid μ.sub.max of the cluster C.sub.max which has merged the sample point d.sub.i is updated, then proceeding to step (1-13).

[0098] A formula for updating a centroid μ.sub.max of a cluster C.sub.max is as follows:

[00010] $μ_{\max} = \frac{1}{C_{maxn}} {.Math.}_{p = 1}^{C_{maxn}} d_{p}$

[0099] where C.sub.maxn is a number of the sample points in the cluster C.sub.max which has merged the sample point d.sub.i, d.sub.p is the p-th sample point in the cluster C.sub.max which has merged the sample point d.sub.i, and p∈[1, C.sub.maxn].

[0100] Specifically, for the KDDCUP99 intrusion detection data set, the threshold r ranges from 95 to 143, preferably 100.

[0101] (1-13) the counter is set to i=i+1, and step (1-8) is returned to.

[0102] (1-14) all the clusters in the cluster set S is traversed, and whether the types of all the sample points in each cluster is a majority sample is determined; if yes, the majority samples in the cluster are randomly saved according to a sampling rate sr, then the traversing process is repeated for the remaining clusters; otherwise the traversing process is repeated for the remaining clusters.

[0103] Specifically, the sampling rate sr ranges from 0.6 to 0.9.

[0104] (2) the clustered unbalanced data obtained in step (1) is input into a trained Deep Belief Network (DBN) model to extract a feature; then the extracted feature is input into multiple DBN-WKELM base classifiers in a trained DBN-Weighted Kernel Extreme Learning Machine (WKELM) multiclass classifier model to obtain multiple initial classification results; a weight of each DBN-WKELM base classifier is calculated by the self-adaptive weighted voting method; and a final classification result and an intrusion behavioral type corresponding to the final classification result are obtained according to multiple weights and initial classification results.

[0105] Specifically, the DBN model of the present step is trained by the steps:

[0106] (2-1) a Deep Belief Network (DBN) model is obtained, and the DBN model is optimized in a distributed memory computing platform using the improved differential evolution algorithm to obtain an optimized DBN model.

[0107] In the present embodiment the distributed memory computing platform is the Apache Spark platform.

[0108] The present step specifically includes the following sub-steps:

[0109] (2-1-1) a DBN model W.sub.dbn={W.sub.1, W.sub.2, . . . , W.sub.dep}, is obtained, where dep represents a total number of hidden layers in the DBN model, W.sub.di represents a neuron number of the di-th hidden layer in the DBN model, and d.sub.i∈[1, 3].

[0110] Specifically, the total number of the hidden layers in the DBN model equals to 3; the maximum neuron number x.sub.max in each hidden layer ranges from 500 to 1500, preferably 1000; the minimum neuron number x.sub.min in the hidden layer ranges from 1 to 5, preferably 1.

[0111] (2-1-2) an initial population with a population scale of n.sub.ps structural vectors is randomly generated; one of the structural vectors is randomly selected from the initial population and used as the global optimal solution x.sub.best of the initial population; and the initial population is written into the Hadoop Distributed File System (HDFS) in the form of files, and a counter cnt=1 is set.

[0112] Specifically, the population scale ranges from 1000 to 2000, preferably 1000.

[0113] (2-1-3) whether cnt is equal to a maximum iteration number T or the global optimal solution x.sub.best is converged is determined; if yes, the global optimal solution is output, and the process is completed; otherwise, proceeding to step (2-4).

[0114] Specifically, the maximum iteration number T ranges from 500 to 1000, preferably 500.

[0115] (2-1-4) whether cnt is 1 is determined; if yes, the file written in the HDFS in step (2-1-2) is read from the HDFS and divided into n.sub.pa input slices, and each input slice includes a sub-population; then proceeding to step (2-1-5); otherwise the updated file is read from the HDFS and divided into n.sub.pa input slices, and each input slice includes a sub-population; then proceeding to step (2-1-5).

[0116] Specifically, dividing the file into n.sub.pa input slices is implemented through a Map phase on the Spark platform. The number n.sub.pa of input slices ranges from 2 to 10, preferably 5.

[0117] (2-1-5) for each sub-population obtained in step (2-1-4), the j-th individual x.sub.cnt.sup.j={W.sub.cnt,j.sup.1, W.sub.cnt,j.sup.2, . . . , W.sub.cnt,j.sup.dep} of the cnt-th generation in the sub-population is obtained and used as the neuron number in the DBN model: a classification result of n.sub.i classification points is obtained according to the corresponding DBN model; a classification error CE of the DBN model is calculated according to the classification result and used as an adaptability value f(x.sub.cnt.sup.i) of the j-th individual of the cnt-th generation in the sub-population, where j∈[1, the total number of the individual of the cnt-th generation in the sub-population], and W.sub.cnt,j.sup.dep represents the dep-th element of the j-th individual of the cnt-th generation in the sub-population.

[0118] Specifically, the classification error of the present step is obtained by a formula as follows:

[00011] $CE = \frac{1}{n_{t}} {.Math.}_{i_{t} = 1}^{n_{t}} .Math. Y_{i_{t}} - Y_{i_{t}}^{'} .Math.$

[0119] where Y.sub.i.sub.t is a real result, Ý.sub.i.sub.t is a classification result, n.sub.t is a number of the classification points.

[0120] Specifically, the number of the classification points ranges from 30 to 100, preferably 50.

[0121] (2-1-6) for each sub-population obtained in step (2-1-4), an adaptability value set F={f(x.sub.cnt.sup.1), f(x.sub.cnt.sup.2), . . . , f(x.sub.cnt.sup.sn)} consisted of the adaptability value for all individuals of the cnt-th generation in the sub-population is obtained, where si is a total number of the adaptability value in the adaptability value set F; all the adaptability value in the adaptability value set is sorted in ascending order to obtain a new adaptability value set {acute over (F)}={{acute over (f)}(x.sub.cnt.sup.1), {acute over (f)}(x.sub.cnt.sup.2), . . . , {acute over (f)}(x.sub.cnt.sup.sn)}; an individual corresponding to the minimum adaptability value in the new adaptability value set {acute over (F)} is used as the optimal solution for the sub-population, and the minimum adaptability value is used as the best adaptability value for the sub-population.

[0122] (2-1-7) the minimum value is selected from the best adaptability value of all the sub-populations and used as the overall best adaptability value, and the global optimal solution x.sub.best is updated to an individual corresponding to the overall best adaptability value.

[0123] (2-1-8) for the adaptability set F obtained in step (2-1-6), two individuals x.sub.cnt.sup.1 and x.sub.cnt.sup.2 with the minimum adaptability value are obtained to form a set E.sub.cnt={x.sub.cnt.sup.1, x.sub.cnt.sup.2}, and the remaining individuals in the adaptability set F forms a set I.sub.cnt={x.sub.cnt.sup.3, . . . , x.sub.cnt.sup.sn}.

[0124] (2-1-9) a self-adaptive mutated individual {right arrow over (w.sub.cnt.sup.i)} is generated according to the {right arrow over (j)}-th target individual {right arrow over (x.sub.cnt.sup.i)} in the set I.sub.cnt obtained in step (2-1-8), where {right arrow over (j)}∈[3, sn].

[0125] Specifically, a formula for generating the self-adaptive mutated individual is as follows:

{right arrow over (w.sub.cnt.sup.j)}={right arrow over (x.sub.cnt.sup.j.sup.1)}+F.sub.c({right arrow over (x.sub.cnt.sup.j.sup.2)}−{right arrow over (x.sub.cnt.sup.j.sup.3)})

[0126] where {right arrow over (j.sub.1)}, {right arrow over (j.sub.2)}, and {right arrow over (j.sub.3)} ∈[3, sn], these three are different from each other and not equal to {right arrow over (j)}, and F.sub.c is a self-adaptive mutation factor.

[0127] A formula for calculating the self-adaptive mutation factor F.sub.c is as follows:

[00012] $F_{c} = f \cos (\frac{π}{2} \times \frac{2 (T - cnt)}{T})$

[0128] where f is an initial mutation factor which ranges from 0.5 to 0.8, preferably 0.6.

[0129] (2-1-10) a crossover operation is performed on the self-adaptive mutated individual {right arrow over (w.sub.cnt.sup.i)} obtained in step (2-1-9) and the 1-th target individual in the set I.sub.cnt obtained in step (2-1-8) to generate experimental individual {right arrow over (u.sub.cnt.sup.j)}={u.sub.cnt,{right arrow over (j)}.sup.1, u.sub.cnt,{right arrow over (j)}.sup.2, . . . , u.sub.cnt,{right arrow over (j)}.sup.D}.

[0130] Specifically, a formula for generating the experimental individual is as follows:

[00013] $u_{cnt, \hat{j}}^{h} = {\begin{matrix} w_{cnt, \hat{j}}^{h} & r and \leq CR or h = randn \\ x_{cnt, \hat{j}}^{h} & r and > CR or h \neq randn \end{matrix}$

[0131] where randn is a random integer generated randomly from {1, 2, . . . , D}, rand is a uniformly distributed random real number within [0, 1], CR is a crossover factor, and D is an individual genetic dimension; h∈[1, D].

[0132] Specifically, the crossover factor C R ranges from 0.7 to 0.9, preferably 0.8, and the individual genetic dimension D ranges from 1 to 3, preferably 1.

[0133] (2-1-11) an adaptability value f({right arrow over (x.sub.cnt.sup.i)}) corresponding to the experimental individual {right arrow over (u.sub.cnt.sup.i)} obtained in step (2-1-10) and an adaptability value f({right arrow over (u.sub.cnt.sup.i)}) corresponding to the target individual x.sub.cnt.sup.i obtained in step (2-1-9) are obtained; a smaller adaptability value is used to replace the corresponding individual in the set I.sub.cnt, and the individual of the set E.sub.cnt obtained in step (2-8) is added to I.sub.cnt, thereby obtaining a updated set I.sub.cnt.

[0134] (2-1-12) the counter is set to cnt=cnt+1; the updated set I.sub.cnt is saved on the HDFS and step (2-1-3) is returned to.

[0135] (2-2) the DBN model optimized in step (2-1) is trained to obtain a trained DBN model.

[0136] Specifically, the present step specifically includes the following sub-steps:

[0137] (2-2-1) the unbalanced data set clustered in step (1) is divided into a training set and a test set according to a ratio of 6:4.

[0138] (2-2-2) a counter cnt2=1 is set.

[0139] (2-2-3) an initial state of an input layer of the DBN model optimized in step (2) is set as a training sample of the training set according to the training set obtained in step (2-2-1); the input layer and the first hidden layer of the DBN model are constructed as the Restricted Boltzmann Machine (RBM) network, and a weight T, an offset a of the input layer, and an offset b of the first hidden layer between the input layer and the first hidden layer of the RBM network are initialized.

[0140] Specifically, W is a random value output by using a normal distribution with a standard deviation of 0.1; a and b are set to 0.

[0141] (2-2-4) whether cnt2 is equal to 3 is determined; if yes, the process is completed; otherwise, proceeding to step (2-2-5).

[0142] (2-2-5) the input value of the RBM network, the weight W, the offset a of the input layer, and the offset b of the cnt2-th hidden layer between the input layer and the cnt2-th hidden layer of the RBM network are updated using the Contrastive Divergence (CD) algorithm.

[0143] (2-2-6) the iterative training is performed on the RBM network updated in step (2-2-6) until a reconstruction error of the RB M network reaches the minimum, so that an RBM model after overall iterative training is obtained. the (cnt2+1)-th hidden layer of the DBM model optimized in step (2) is added into the RBM network after overall iterative training to construct a new RBM network; at the same time, the weight W between the input layer and the (cnt2+1)-th hidden layer of the new DBM network is updated to a weight output by the RBM network after overall iterative training. The offset a of the input layer and the offset b of the (cnt2+1)-th hidden layer are respectively updated to an offset output by the RBM network after overall iterative training, and an output value of the RBM network after overall iterative training is used as an input value for the new RBM network.

[0144] The reconstruction error RE of the RBM network is:

RE=Σ.sub.i.sub.e.sub.=1.sup.n.sup.e|V.sub.i.sub.e−V.sub.i.sub.e.sup.t|

[0145] where n.sub.e represents neuron number of the input layer of the RBM network; V.sub.i.sub.e represents a training sample value of the i.sub.e-th neuron of the input layer of the RBM network before iterative training, and V.sub.i.sub.e.sup.t; represents a training sample value of the i.sub.e-th neuron of the input layer of the RBM network after iterative training.

[0146] (2-2-7) the counter is set to cnt2=cnt2+1, and step (2-2-4) is returned to.

[0147] The training process for the DBM model can be implemented by the above steps (2-2-1) to (2-7).

[0148] The DBN-WKELM multiclass classifier model of the present disclosure is consisted of m DBN-WKELM base classifiers (the value of m is 4 in the present embodiment), and each DBN-WKELM base classifier includes an input layer, an output layer, three DBN hidden layers, and a WKELM hidden layer. A node number of the input layer and output layer is 122 and 5, respectively. A node number of each DBN hidden layer is 110, 70, and 30, respectively. At the same time, a node number of the WKELM hidden layer for the four DBN-WKELM base classifiers is 55, 65, 75, and 85, respectively.

[0149] The DBN-WKELM multiclass classifier model of the present disclosure is trained by the following process:

[0150] a trained DBN model is obtained; four sub-threads are started, and an output value of the trained DBN model is set to an input value X, of the WKELM hidden layer in each sub-thread; a cost-sensitive matrix W.sub.cs is obtained by weighting the input value X.sub.in; and an output weight β of the WKELM hidden layer is obtained according to the cost-sensitive matrix W.sub.cs, and the DBN-WKELM base classifier which is based on feature extraction of the DBN is obtained based on the output weight β; the trained DBN-WKELM multiclass classifier model is consisted of the four DBN feature extraction based DBN-WKELM base classifiers.

[0151] In the present step, the specific process for obtaining the cost-sensitive matrix W.sub.cs by weighting the input value X.sub.in is:

[0152] a weight W.sub.i.sub.x is assigned to the i.sub.x-th sample point in X.sub.in to obtain the i.sub.x-th main diagonal element we.sub.i.sub.x in the cost-sensitive matrix W.sub.cs, where i.sub.x∈[1, a total number of the sample point in X.sub.in], W.sub.cs is a diagonal matrix, and the weight W.sub.i.sub.x is equals to:

[00014] $w_{i_{x}} = \frac{1}{m_{i_{x}}}$

[0153] where m.sub.i.sub.x is an amount of the type to which the i.sub.x-th sample point belongs in the training set.

[0154] A formula for the output weight f of the WKELM hidden layer is:

[00015] $β = {(\frac{1}{C_{r}} W_{cs}^{- 1} + Ω)}^{- 1} T_{l}$

[0155] where C.sub.r is a regularization coefficient, Ω is a kernel matrix corresponding to a kernel function F.sub.k (the kernel function can be the polynomial kernel function or Gaussian kernel function in the present disclosure) of the WKELM base classifier, and T.sub.l is a data label corresponding to the input value X.sub.in.

[0156] A formula for calculating a weight of a self-adaptive weighted voting method is as follows:

[00016] $W_{q} = \frac{x_{ac}^{q} - x_{fp}^{q}}{{.Math.}_{q = 1}^{m} (x_{ac}^{q} - x_{fp}^{q})}$

[0157] where W.sub.q is a voting weight of the q-th DBN-WKELM base classifier in the DBN-WKELM multiclass classifier model, x.sub.ac.sup.q is a classification accuracy of the q-th DBN-WKELM base classifier, x.sub.fp.sup.q is a classification false-positive rate of the q-th DBN-WKELM base classifier, and q∈[1, n].

[0158] A formula for calculating the classification accuracy and false-positive rate of the q-th DBN-WKELM base classifier is as follows:

[00017] $x_{ac}^{q} = \frac{n_{c}^{q}}{N_{s}^{q}}, x_{fp}^{q} = \frac{n_{f}^{q}}{N_{c}^{q}}$

[0159] where c is a number of the samples classified correctly in the q-th DBN-WKELM base classifier, N.sub.s.sup.q is a total number of samples in the q-th DBN-WKELM base classifier, n.sub.f.sup.q is a number of normal samples mistaken regarded as intrusion in the q-th DBN-WKELM base classifier, and N.sub.c.sup.q is a total number of normal samples in the q-th DBN-WKELM base classifier.

[0160] In step (2), an initial classification result V=(v.sub.1, v.sub.2, v.sub.3, v.sub.4, v.sub.5) of each base classifier is obtained, which corresponds to five behavioral types of Normal, Probe, Dos, U2R, and R2L, respectively. Then the weight of each base classifier is calculated by the self-adaptive weighted voting method. Finally a total classification result C.sub.res=Σ.sub.q=1.sup.mW.sub.qV.sub.q of the DBN-WKELM multiclass classifier model is obtained according to the initial classification results V and weight of each base classifier. A behavioral type corresponding to an element in an initial classification result corresponding to the maximum value is selected from the total classification results and this behavioral type is used as the final behavioral type.

[0161] A data in the test set is assumed that the initial classification results obtained by the four DBN-WKELM base classifiers are (0, 1, 0, 0, 0), (0, 0, 1, 0, 0), (0, 1, 0, 0, 0), (0, 0, 1, 0, 0) respectively. The classification accuracy of each base classifier is 98.5%, 97.8%, 98.2%, and 97.3%, and the classification false-positive rate is 2.3%, 2.8%, 2.7%, and 2.0%. The weight of each base classifier can be calculated according to the above formula and obtained as 0.252, 0.249, 0.250, and 0.249. Then, v.sub.1 (i.e. 0) in the initial classification result obtained by the first DBN-WKELM base classifier*0.252+v.sub.1 (i.e. 0) in the initial classification result obtained by the second DBN-WKELM base classifier*0.252+v.sub.1 (i.e. 0) in the initial classification result obtained by the third DBN-WKELM base classifier*0.252+v.sub.1 (i.e. 0) in the initial classification result obtained by the fourth DBN-WKELM base classifier*0.252=0. Then, v.sub.2 (i.e. 1) in the initial classification result obtained by the first DBN-WKELM base classifier*0.252 v.sub.2 (i.e. 0) in the initial classification result obtained by the second DBN-WKELM base classifier*0.252+v.sub.2 (i.e. 1) in the initial classification result obtained by the third DBN-WKELM base classifier*0.252+v.sub.2 (i.e. 0) in the initial classification result obtained by the fourth DBN-WKELM base classifier*0.252=0502 . . . , and so on. Five total classification results (0, 0.502, 0.498, 0, 0) are obtained finally and the maximum value, which is 0,502 in this case, is selected. The behavioral type (i.e. Probe behavioral type) corresponding to the element (i.e. v.sub.2) in the initial classification result corresponding to the maximum value is used as the final behavioral type.

[0162] Those skilled in the art can easily understand that the above are only preferred embodiments of the present disclosure and are not intended to limit the present disclosure. Any modification, equivalent substitutions or improvements within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

METHOD AND SYSTEM FOR DETECTING INTRUSION IN PARALLEL BASED ON UNBALANCED DATA DEEP BELIEF NETWORK

Inventors

Cpc classification

Classification Explorer

G06N3/088

PHYSICS

Classification Explorer

G06N20/00

PHYSICS

Classification Explorer

G06N3/047

PHYSICS

Classification Explorer

G06F21/566

PHYSICS

Classification Explorer

G06N3/045

PHYSICS

Classification Explorer

G06N3/126

PHYSICS

Classification Explorer

G06F2221/034

PHYSICS

Classification Explorer

G06N3/086

PHYSICS

Classification Explorer

G06F21/554

PHYSICS

International classification

Classification Explorer

G06F21/56

PHYSICS

Classification Explorer

G06N20/00

PHYSICS

Abstract

Claims

Description