CN109462610A - A kind of network inbreak detection method based on Active Learning and transfer learning - Google Patents
A kind of network inbreak detection method based on Active Learning and transfer learning Download PDFInfo
- Publication number
- CN109462610A CN109462610A CN201811582916.7A CN201811582916A CN109462610A CN 109462610 A CN109462610 A CN 109462610A CN 201811582916 A CN201811582916 A CN 201811582916A CN 109462610 A CN109462610 A CN 109462610A
- Authority
- CN
- China
- Prior art keywords
- sample
- weight
- classifier
- source domain
- learning
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention belongs to network safety fileds, and in particular to a kind of network inbreak detection method based on Active Learning and transfer learning, comprising the following steps: given source domain intrusion detection sample set SaAnd aiming field intrusion detection sample set Sb;Using Active Learning thought, source domain S is calculatedaIn each sample weight, query function is according to weight by source domain SaWith aiming field SbThe biggish sample of similitude is marked;Base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtWith Unlabeled data collection S, several Weak Classifier models are obtained;According to the different weight of Weak Classifier, combination obtains strong classifier.The detection that the method for the present invention is especially the U2R and R2L less to sample size has many promotions relative to benchmark algorithm;The Detection accuracy balance of each attack type is more preferable compared with benchmark algorithm;Also there is greater advantage in the time efficiency of algorithm detection.Therefore, the present invention has better application prospect in network invasion monitoring.
Description
Technical field
The invention belongs to network safety fileds, and in particular to a kind of to be examined based on the network intrusions of Active Learning and transfer learning
Survey method.
Background technique
With the rapid development of network, no matter network plays increasingly in country's life or the daily routines of people
Important role.Therefore, the importance of network security technology is also increasingly prominent.Current network security is faced with more and more diseases
The challenge such as poison, system vulnerability and hacker attack.Wherein, how to identify that various attacks are a kind of protection network securitys
Important technical.Intrusion detection as one of the core technology in network security, can find to carry out in time or
The malicious attack behavior having occurred and that.It is a kind of network security of active using Intrusion Detection Technique as the intruding detection system of core
Defense technique, it not only compensates for the deficiency of firewall but also attack can be effectively detected and propose that corresponding defence is arranged
It applies.But traditional intruding detection system is only able to detect and has deposited there are problems, such as rate of false alarm and rate of failing to report height
Attack and seem more and more unable to do what one wishes to the detection of the attack of novel attack and magnanimity.
In recent years along with the rise of machine learning, the intrusion detection method based on machine learning algorithm makes to network
The intelligent measurement of attack is possibly realized, and the efficiency of intrusion detection is on the one hand improved compared with traditional intrusion detection method, separately
On the one hand rate of failing to report and rate of false alarm are reduced.Therefore, the rise of machine learning is that the development of Intrusion Detection Technique specifies one
New direction.Currently, although machine learning traditional in intrusion detection is using very extensive, wherein most of machine
Learning algorithm can all regard several different attacks as attack, take single detection algorithm without go specifically to distinguish
It is detected.The detection success rate that this will lead to every kind of attack is uneven, for example certain machine learning algorithm is trained
The classifier arrived is relatively high to the attack detecting rate of a certain type, and another type of attack is difficult to detect, especially attacks against each other
The attack type for hitting number of samples rareness, is often ignored.In addition, traditional machine learning algorithm usually requires satisfaction or less
Two assumed conditions: (1) training sample and new test sample meet independent same distribution condition;(2) a large amount of training sample is needed
The study of this ability obtains a good learning model.However the distribution of test data and training data is difficult to do in practical applications
To consistent, furthermore some sample resources are very rare.For example, carrying out data classification in biology, a training sample is obtained
Label generally require largely, for a long time, expensive experiment;In text classification field, it has been found that existing trained sample
This far from establishes a reliable disaggregated model enough, and marks large volume document and generally require to employ by offering a high salary a large amount of expert,
Cause the cost for obtaining mark training sample very high.To sum up, on the one hand people need a large amount of training sample to establish standard
The high disaggregated model of true rate: on the other hand, it is almost impossible in many practical applications to obtain a large amount of training sample.
In order to solve sample scarcity problem, researcher proposes transfer learning, and this method is using existing existing knowledge
To the new machine learning method of one kind that related fields problem is solved, its relax in conventional machines study two is basic
It is assumed that the purpose is to use existing knowledge to solve in target domain and only have the problem of a small amount of sample is even without study.It moves
It moves study and represents the later developing direction of machine learning, transfer learning is applied in intrusion detection, with other machine algorithms
Compared to the cost that the knowledge that can be used in existing historical data saves gather data, the data point of training data and test data
Cloth can not also be identical.In addition, transfer learning is also that effective solution attack type sample is rare and attack type detection is uneven
Problem proposes a kind of new settling mode, therefore has very big advantage compared to traditional machine learning algorithm.
In conclusion a large amount of history attack sample solution on the basis of transfer learning, can be effectively utilized in the present invention
Certainly intrusion detection attack type sample scarcity problem and attack type detect imbalance problem, in addition use reasonable Active Learning
Policy selection marker samples can reduce the classifier training time.In short, the method for the present invention is compared to pervious intrusion detection side
Method accuracy rate is higher, and rate of false alarm is lower and algorithm time efficiency is more advantageous.
Summary of the invention
The problem of for above-mentioned background technique, the method for the present invention propose a kind of based on Active Learning and transfer learning
Intrusion detection method.
A kind of network inbreak detection method based on Active Learning and transfer learning, comprising the following steps:
(1) source domain intrusion detection sample set S is givenaAnd aiming field intrusion detection sample set Sb;
(2) Active Learning thought is used, source domain S is calculatedaIn each sample weight, query function is according to weight by source domain
SaWith aiming field SbThe biggish sample of similitude is marked;
(3) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtIt does not mark
Remember data set S, obtains several Weak Classifier models;
(4) weight different according to Weak Classifier, combination obtain strong classifier.
The given source domain intrusion detection sample set SaAnd aiming field intrusion detection sample set Sb, comprising:
Given a large amount of unlabelled source domain intrusion detection sample set Sa, a small amount of markd aiming field intrusion detection sample
Set Sb, n SaSample size, m SbMiddle sample size;Training dataset T=S after merginga∪Sb, xi∈T。
It is described to use Active Learning thought, calculate source domain SaIn each sample weight, query function is according to weight by source
Domain SaWith aiming field SbThe biggish sample of similitude is marked, comprising:
(2.1) using Active Learning query strategy Q to training dataset SaSelected marker is carried out, following formula is calculated:
S.t.0≤β≤1, i=1,2 ..., n
Wherein, n indicates source domain number of samples, K=K (xi,xj)=φ (xi)Tφ(xj),
(2.2) according to the sample in the calculated result screening source domain in (2.1), source domain S is filteredaIn with aiming field SbDifference
Biggish sample, to obtain new training dataset S'a, source domain sample set SaCollection after being marked is combined into S'a, sample number
Amount is n';
(2.3) weight vectors are initializedWherein
The calling base classifier BA_SVM, according to the weight distribution p after merging on training dataset T and TtIt does not mark
Remember data set S, obtain several Weak Classifier models, comprising:
Setting
(3.1) p is settMeet
Wherein, wiFor the weight vectors of i-th source domain sample;
(3.2) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtNot
Flag data collection S obtains a classifier on S
(3.3) it calculates in data set SbOn error rate:
(3.4) τ is sett=εt/(1-εt), classifier weight coefficient is
(3.5) it is as follows that new weight vectors are set:
N times iteration terminates.
The weight different according to Weak Classifier, combination obtain strong classifier, comprising:
After learning training by above 2 steps, several Weak Classifier models are formed, then by these weak typings
It is as follows that device according to respective weight obtains final classifier:
Wherein, hf(x) strong classifier to obtain;αtFor each Weak Classifier ht(x) weight.
The beneficial effects of the present invention are:
The detection that the method for the present invention is especially the U2R and R2L less to sample size has much relative to benchmark algorithm
Promotion;The Detection accuracy balance of each attack type is more preferable compared with benchmark algorithm;In the time efficiency of algorithm detection
Also there is greater advantage.Therefore, the present invention has better application prospect in network invasion monitoring.
Detailed description of the invention
Fig. 1 is the schematic diagram of the method for the present invention;
Fig. 2 is the process schematic that strong Study strategies and methods perform intrusion detection.
Specific embodiment
The present invention is described further with reference to the accompanying drawing.
The method of the present invention includes that Active Learning first is looked into using query function Q using selective Largest Mean deviation (MMD)
Inquiry strategy carries out screening to the intrusion detection sample in source domain and selects, under selecting in the intrusion detection sample set not marked largely
The sample of one mark is added to training data concentration;Then using the classifier (TrAdaBoost) with transfer learning ability
Repetitive exercise is trained to the training dataset after screening, until meeting condition.The wherein basic classification in TrAdaBoost
Device selects a kind of support vector machines (BA_SVM) based on bat algorithm, and BA_SVM can find the best parameter group of SVM, keep away
Local optimum problem is exempted from.In the methods of the invention on the one hand Active Learning reduces the scale of intrusion detection sample in source domain;
The MMD method of the query strategy of another aspect query function Q can filter out in source domain with the lesser sample of aiming field similarity,
Help to solve the problems, such as negative transfer.This paper inventive method is compared to the rule of other traditional machine learning methods not only training set
Mold shrinkage subtracts, and training effectiveness improves, and itself can effectively inhibit negative transfer.Therefore, context of methods not only have compared with
Good detection speed, and improve the accuracy, real-time and balance of intrusion detection.
It elaborates below to the method for the present invention implementation.
It is as follows to related basic symbol and concept definition by being used in description for convenience of the description of problem:
Define 1 basic symbol:
(1) SD is set as source domain space, and TD is target domain space;
(2) Y is set as classifying space, two points of problem Y={ -1,1 } is only considered in text without loss of generality, for more classification problems
Two classification problems can be extended;
(3) training intrusion detection data set
(4)Sample x is mapped on class label f (x) ∈ Y.
Define 2 test data sets:
Wherein
Define 3 training datasets:
Wherein
Wherein
Wherein, f (x) is true class label;SaIt is the auxiliary intrusion detection data in source domain;SbIt is in target domain
Intrusion detection data set, n and m are S respectivelyaAnd SbMiddle number of samples.SaAnd SbIt is collectively referred to as training dataset, so training data
Collection can be defined as follows:
Wherein, S is concentrated in training dataaWith test data set SbDistribution is different, but test data set S and SbIt is distributed phase
Together, be both P ((x, y) | x ∈ Sa)≠P((x,y)|x∈S)。
It so far, can be as follows by the transfer learning problem definition in inventive method: the intrusion detection data of a given very little
Collection is used as target intrusion detection data set Sb, do not mark intrusion detection data set S largelya, test intrusion detection data set S, mesh
Mark is one classifier of training, can reduce the error in classification on S to the greatest extent, improves the predictablity rate of intrusion detection behavior.It asks
Outputting and inputting for topic is as follows:
Input:
Two training dataset SaAnd Sb, a test data set S;
One basic classification device BA_SVM.
Output:
Classifier.
Fig. 1 shows the schematic diagram of the method for the present invention, and method mainly includes query function Q and migration sorter model
TrAdaBoost-BA_SVM, the input of receiving include source domain training dataset Sa, aiming field training dataset SbAnd test data
Collect S.
Related notion is as follows in this method specific implementation: a large amount of unlabelled source domain sample set Sa, a small amount of markd
Aiming field sample set Sb, n is sample size Sa, m SbMiddle sample size;T=Sa∪Sb, xi∈ T, f (xi) true class label.
Unmarked test data set S, base a classifier BA_SVM, the number of iterations N.
Method implement specifically includes the following steps:
1. initialization
(1) using Active Learning query strategy Q to training dataset SaSelected marker is carried out, following formula is calculated
S.t.0≤β≤1, i=1,2 ..., n
N indicates source domain number of samples, K=K (x in above-mentioned formula in above-mentioned formulai,xj)=φ (xi)Tφ(xj),
(2) according to the sample in the calculated result screening source domain in (1), source domain S is filteredaIn with aiming field SbIt differs greatly
Sample, to obtain new training dataset S'a:
For j=1, n
if(βi< 0)
Give up the sample
else
Retain sample, expert is transferred to be labeled
Source domain sample set SaCollection after being marked is combined into S'a, sample size n'.
(3) weight vectors are initializedWherein
2. core process
SettingInventive method core executive process is as follows:
For t=1 ..., N
(1) p is settMeet
(2) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtIt does not mark
Remember data set S, obtains a classifier on S
(3) it calculates in data set SbOn error rate:
(4) τ is sett=εt/(1-εt), if classifier weight coefficient
(5) it is as follows that new weight vectors are set:
N times iteration terminates.
3. strong classifier
After learning training by above 2 steps, several Weak Classifier models are formed, then by these weak typings
It is as follows that device according to respective weight obtains final classifier:
H in formulaf(x) strong classifier to obtain;αtFor each Weak Classifier ht(x) weight.
After above-mentioned 3 steps, it is formed the network inbreak detection method based on Active Learning and transfer learning.
The method of the present invention is in terms of intrusion detection precision and time efficiency, compared to traditional intrusion detection side based on machine learning
Method not only has preferable Detection accuracy and detection speed, but also improves the accuracy, real-time and balance of detection.
It is better embodiment of the invention above, but protection scope of the present invention is not limited to this, it is any ripe
Know those skilled in the art in the technical scope disclosed by the present invention, it is all to be transformed or replaced according to technical solution of the present invention
, it should all be included within the scope of protection of the present invention.Therefore, protection scope of the present invention all should be with the protection model of claim
Subject to enclosing.
1. a kind of network inbreak detection method based on Active Learning and transfer learning, the method includes the following contents:
Given a large amount of unlabelled source domain intrusion detection sample set Sa, a small amount of markd aiming field intrusion detection sample
Set Sb, n SaSample size, m SbMiddle sample size;T=Sa∪Sb, xi∈ T, f (xi) true class label.Unmarked test
Intrusion detection data set S, base a classifier BA_SVM, the number of iterations N.The step of method include initialization, core process and
Strong classifier.Each step is described as follows:
(1) it initializes, using Active Learning thought, calculates source domain SaIn each sample weight, query function is according to power
Again by source domain SaWith aiming field SbThe biggish sample of similitude is marked.
(2) core process describes the main implementation procedure of inventive method, obtains one group of Weak Classifier power corresponding with its
Weight;
(3) strong classifier, according to the different weight of Weak Classifier, combination obtains strong classifier.
The initialization is as follows:
(1) using Active Learning query strategy Q to training dataset SaSelected marker is carried out, following formula is calculated
S.t.0≤β≤1, i=1,2 ..., n
N indicates source domain number of samples, K=K (x in above-mentioned formulai,xj)=φ (xi)Tφ(xj),
(2) according to the sample in the calculated result screening source domain in (1), source domain S is filteredaIn with aiming field SbIt differs greatly
Sample, to obtain new training dataset S'a:
For j=1, n
if(βi< 0)
Give up the sample;
else
Retain sample, expert is transferred to be labeled.
Source domain sample set SaCollection after being marked is combined into S'a, sample size n'.
(3) weight vectors are initializedWherein
The method core process:
SettingInventive method core executive process is as follows:
For t=1 ..., N
(1) p is settMeet
(2) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtIt does not mark
Remember data set S, obtains a classifier on S
(3) it calculates in data set SbOn error rate:
(4) τ is sett=εt/(1-εt), if classifier weight coefficient
(5) it is as follows that new weight vectors are set:
N times iteration terminates.
The classifier:
H in formulaf(x) strong classifier to obtain;αtFor each Weak Classifier ht(x) weight.
With the rapid development of network, no matter network plays increasingly in country's life or the daily routines of people
Important role.Therefore, the importance of network security technology is also increasingly prominent.Current network security is faced with more and more diseases
The challenge such as poison, system vulnerability and hacker attack.Wherein, how to identify that various attacks are a kind of protection network securitys
Important technical.Intrusion detection as one of the core technology in network security, can find to carry out in time or
The malicious attack behavior having occurred and that.It is a kind of network security of active using Intrusion Detection Technique as the intruding detection system of core
Defense technique, it not only compensates for the deficiency of firewall but also attack can be effectively detected and propose that corresponding defence is arranged
It applies.But traditional intruding detection system is only able to detect and has deposited there are problems, such as rate of false alarm and rate of failing to report height
Attack and seem more and more unable to do what one wishes to the detection of the attack of novel attack and magnanimity.
In recent years along with the rise of machine learning, the intrusion detection method based on machine learning algorithm makes to network
The intelligent measurement of attack is possibly realized, and the efficiency of intrusion detection is on the one hand improved compared with traditional intrusion detection method, separately
On the one hand rate of failing to report and rate of false alarm are reduced.Therefore, the rise of machine learning is that the development of Intrusion Detection Technique specifies one
New direction.Currently, although machine learning traditional in intrusion detection is using very extensive, wherein most of machine
Learning algorithm can all regard several different attacks as attack, take single detection algorithm without go specifically to distinguish
It is detected.The detection success rate that this will lead to every kind of attack is uneven, for example certain machine learning algorithm is trained
The classifier arrived is relatively high to the attack detecting rate of a certain type, and another type of attack is difficult to detect, especially attacks against each other
The attack type for hitting number of samples rareness, is often ignored.In addition, traditional machine learning algorithm usually requires satisfaction or less
Two assumed conditions: (1) training sample and new test sample meet independent same distribution condition;(2) a large amount of training sample is needed
The study of this ability obtains a good learning model.However the distribution of test data and training data is difficult to do in practical applications
To consistent, furthermore some sample resources are very rare.For example, carrying out data classification in biology, a training sample is obtained
Label generally require largely, for a long time, expensive experiment;In text classification field, it has been found that existing trained sample
This far from establishes a reliable disaggregated model enough, and marks large volume document and generally require to employ by offering a high salary a large amount of expert,
Cause the cost for obtaining mark training sample very high.To sum up, on the one hand people need a large amount of training sample to establish standard
The high disaggregated model of true rate: on the other hand, it is almost impossible in many practical applications to obtain a large amount of training sample.
In order to solve sample scarcity problem, researcher proposes transfer learning, and this method is using existing existing knowledge
To the new machine learning method of one kind that related fields problem is solved, its relax in conventional machines study two is basic
It is assumed that the purpose is to use existing knowledge to solve in target domain and only have the problem of a small amount of sample is even without study.It moves
It moves study and represents the later developing direction of machine learning, transfer learning is applied in intrusion detection, with other machine algorithms
Compared to the cost that the knowledge that can be used in existing historical data saves gather data, the data point of training data and test data
Cloth can not also be identical.In addition, transfer learning is also that effective solution attack type sample is rare and attack type detection is uneven
Problem proposes a kind of new settling mode, therefore has very big advantage compared to traditional machine learning algorithm.
In summary as it can be seen that the present invention is on the basis of transfer learning, a large amount of history attack sample can be effectively utilized
This solution intrusion detection attack type sample scarcity problem and attack type detect imbalance problem, in addition using reasonable active
Learning strategy selected marker sample can reduce the classifier training time.In short, the method for the present invention is examined compared to pervious invasion
Survey method accuracy rate is higher, and rate of false alarm is lower and algorithm time efficiency is more advantageous.
It is a kind of based on master the present invention relates to a kind of method for improving network invasion monitoring accuracy rate and time efficiency
The efficient intrusion detection method of dynamic study and transfer learning.The method of the present invention the following steps are included:
Given a large amount of unlabelled intrusion detection sample set Sa, a small amount of markd aiming field intrusion detection sample set
Sb, n SaSample size, m SbMiddle sample size;T=Sa∪Sb, xi∈ T, f (xi) true class label.Unmarked test invasion
Detection data collection S, base a classifier BA_SVM, the number of iterations N.
1. initialization calculates source domain S using Active Learning thoughtaIn each sample weight, query function is according to weight
By source domain SaWith aiming field SbThe biggish sample of similitude is marked.
(1) using Active Learning query strategy Q to training dataset SaSelected marker is carried out, following formula is calculated:
S.t.0≤β≤1, i=1,2 ..., n
N indicates source domain number of samples, K=K (x in above-mentioned formulai,xj)=φ (xi)Tφ(xj),
(2) according to the sample in the calculated result screening source domain in (1), source domain S is filteredaIn with aiming field SbIt differs greatly
Sample, to obtain new training dataset S'a:
For j=1, n
if(βi< 0)
Give up the sample;
else
Retain sample, expert is transferred to be labeled.
Source domain sample set SaCollection after being marked is combined into S'a, sample size n'.
(3) weight vectors are initializedWherein
2. core process describes the main implementation procedure of inventive method, obtains one group of Weak Classifier and corresponding weight;
SettingInventive method core executive process is as follows:
For t=1 ..., N
(1) p is settMeet
(2) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtIt does not mark
Remember data set S, obtains a classifier on S
(3) it calculates in data set SbOn error rate:
(4) τ is sett=εt/(1-εt), if classifier weight coefficient
(5) it is as follows that new weight vectors are set:
N times iteration terminates.
3. strong classifier, according to the different weight of Weak Classifier, combination obtains strong classifier.
H in formulaf(x) strong classifier to obtain;αtFor each Weak Classifier ht(x) weight.
Claims (5)
1. a kind of network inbreak detection method based on Active Learning and transfer learning, which comprises the following steps:
(1) source domain intrusion detection sample set S is givenaAnd aiming field intrusion detection sample set Sb;
(2) Active Learning thought is used, source domain S is calculatedaIn each sample weight, query function is according to weight by source domain SaWith
Aiming field SbThe biggish sample of similitude is marked;
(3) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtAnd Unlabeled data
Collect S, obtains several Weak Classifier models;
(4) weight different according to Weak Classifier, combination obtain strong classifier.
2. a kind of network inbreak detection method based on Active Learning and transfer learning according to claim 1, feature
It is, the given source domain intrusion detection sample set SaAnd aiming field intrusion detection sample set Sb, comprising:
Given a large amount of unlabelled source domain intrusion detection sample set Sa, a small amount of markd aiming field intrusion detection sample set
Sb, n SaSample size, m SbMiddle sample size;Training dataset T=S after merginga∪Sb, xi∈T。
3. a kind of network inbreak detection method based on Active Learning and transfer learning according to claim 1, feature
It is, it is described to use Active Learning thought, calculate source domain SaIn each sample weight, query function is according to weight by source domain Sa
With aiming field SbThe biggish sample of similitude is marked, comprising:
(2.1) using Active Learning query strategy Q to training dataset SaSelected marker is carried out, following formula is calculated:
S.t.0≤β≤1, i=1,2 ..., n
Wherein, n indicates source domain number of samples, K=K (xi,xj)=φ (xi)Tφ(xj),
(2.2) according to the sample in the calculated result screening source domain in (2.1), source domain S is filteredaIn with aiming field SbIt differs greatly
Sample, to obtain new training dataset S'a, source domain sample set SaCollection after being marked is combined into S'a, sample size is
n';
(2.3) weight vectors are initializedWherein
4. a kind of network inbreak detection method based on Active Learning and transfer learning according to claim 1, feature
It is, the calling base classifier BA_SVM, according to the weight distribution p after merging on training dataset T and TtWith it is unmarked
Data set S obtains several Weak Classifier models, comprising:
Setting
(3.1) p is settMeet
Wherein, wiFor the weight vectors of i-th source domain sample;
(3.2) base classifier BA_SVM is called, according to the weight distribution p after merging on training dataset T and TtWith unmarked number
According to collection S, a classifier on S is obtained
(3.3) it calculates in data set SbOn error rate:
(3.4) τ is sett=εt/(1-εt), classifier weight coefficient is
(3.5) it is as follows that new weight vectors are set:
N times iteration terminates.
5. a kind of network inbreak detection method based on Active Learning and transfer learning according to claim 1, feature
It is, the weight different according to Weak Classifier, combination obtains strong classifier, comprising:
After learning training by above 2 steps, form several Weak Classifier models, then by these Weak Classifiers according to
It is as follows that final classifier is obtained according to respective weight:
Wherein, hf(x) strong classifier to obtain;αtFor each Weak Classifier ht(x) weight.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811582916.7A CN109462610A (en) | 2018-12-24 | 2018-12-24 | A kind of network inbreak detection method based on Active Learning and transfer learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811582916.7A CN109462610A (en) | 2018-12-24 | 2018-12-24 | A kind of network inbreak detection method based on Active Learning and transfer learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109462610A true CN109462610A (en) | 2019-03-12 |
Family
ID=65614403
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811582916.7A Pending CN109462610A (en) | 2018-12-24 | 2018-12-24 | A kind of network inbreak detection method based on Active Learning and transfer learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109462610A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110224987A (en) * | 2019-05-08 | 2019-09-10 | 西安电子科技大学 | The construction method of Internet Intrusion Detection Model based on transfer learning, detection system |
| CN110852446A (en) * | 2019-11-13 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Machine learning model training method, device and computer readable storage medium |
| CN111091198A (en) * | 2019-11-28 | 2020-05-01 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN112422590A (en) * | 2021-01-25 | 2021-02-26 | 中国人民解放军国防科技大学 | Network traffic classification method and device based on active learning |
| CN112801718A (en) * | 2021-02-22 | 2021-05-14 | 平安科技(深圳)有限公司 | User behavior prediction method, device, equipment and medium |
| CN113132399A (en) * | 2021-04-23 | 2021-07-16 | 中国石油大学(华东) | Industrial control system intrusion detection method based on time convolution network and transfer learning |
| CN114428960A (en) * | 2022-01-24 | 2022-05-03 | 东华大学 | ARP attack detection method based on single-source domain expansion and prior parameter migration |
| CN117649672A (en) * | 2024-01-30 | 2024-03-05 | 湖南大学 | Font type visual detection method and system based on active learning and transfer learning |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
| CN102176698A (en) * | 2010-12-20 | 2011-09-07 | 北京邮电大学 | Method for detecting abnormal behaviors of user based on transfer learning |
| CN102521656A (en) * | 2011-12-29 | 2012-06-27 | 北京工商大学 | Integrated transfer learning method for classification of unbalance samples |
| CN103297427A (en) * | 2013-05-21 | 2013-09-11 | 中国科学院信息工程研究所 | Unknown network protocol identification method and system |
| US20140272883A1 (en) * | 2013-03-14 | 2014-09-18 | Northwestern University | Systems, methods, and apparatus for equalization preference learning |
| CN105844287A (en) * | 2016-03-15 | 2016-08-10 | 民政部国家减灾中心 | Domain self-adaptive method and system for remote sensing image classification |
| US20180314943A1 (en) * | 2017-04-27 | 2018-11-01 | Jianming Liang | Systems, methods, and/or media, for selecting candidates for annotation for use in training a classifier |
-
2018
- 2018-12-24 CN CN201811582916.7A patent/CN109462610A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582813A (en) * | 2009-06-26 | 2009-11-18 | 西安电子科技大学 | Distributed migration network learning-based intrusion detection system and method thereof |
| CN102176698A (en) * | 2010-12-20 | 2011-09-07 | 北京邮电大学 | Method for detecting abnormal behaviors of user based on transfer learning |
| CN102521656A (en) * | 2011-12-29 | 2012-06-27 | 北京工商大学 | Integrated transfer learning method for classification of unbalance samples |
| US20140272883A1 (en) * | 2013-03-14 | 2014-09-18 | Northwestern University | Systems, methods, and apparatus for equalization preference learning |
| CN103297427A (en) * | 2013-05-21 | 2013-09-11 | 中国科学院信息工程研究所 | Unknown network protocol identification method and system |
| CN105844287A (en) * | 2016-03-15 | 2016-08-10 | 民政部国家减灾中心 | Domain self-adaptive method and system for remote sensing image classification |
| US20180314943A1 (en) * | 2017-04-27 | 2018-11-01 | Jianming Liang | Systems, methods, and/or media, for selecting candidates for annotation for use in training a classifier |
Non-Patent Citations (4)
| Title |
|---|
| JIHAI YANG: "An Iterative Transfer Learning based Classification framework", 《2018 INTERNATIONAL JOINT CONFERENCE ON NEURAL NETWORKS (IJCNN)》 * |
| 李素: "群智能算法优化支持向量机参数综述", 《智能***学报》 * |
| 李金乐: "基于改进蝙蝠算法的工业控制***入侵检测", 《华东理工大学学报(自然科学版)》 * |
| 魏峻: "基于蝙蝠算法的支持向量机参数优化", 《宝鸡文理学院学报(自然科学版)》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110224987A (en) * | 2019-05-08 | 2019-09-10 | 西安电子科技大学 | The construction method of Internet Intrusion Detection Model based on transfer learning, detection system |
| CN110852446A (en) * | 2019-11-13 | 2020-02-28 | 腾讯科技(深圳)有限公司 | Machine learning model training method, device and computer readable storage medium |
| CN111091198A (en) * | 2019-11-28 | 2020-05-01 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN111091198B (en) * | 2019-11-28 | 2023-09-19 | 腾讯科技(深圳)有限公司 | Data processing method and device |
| CN112422590A (en) * | 2021-01-25 | 2021-02-26 | 中国人民解放军国防科技大学 | Network traffic classification method and device based on active learning |
| CN112801718A (en) * | 2021-02-22 | 2021-05-14 | 平安科技(深圳)有限公司 | User behavior prediction method, device, equipment and medium |
| CN113132399A (en) * | 2021-04-23 | 2021-07-16 | 中国石油大学(华东) | Industrial control system intrusion detection method based on time convolution network and transfer learning |
| CN114428960A (en) * | 2022-01-24 | 2022-05-03 | 东华大学 | ARP attack detection method based on single-source domain expansion and prior parameter migration |
| CN114428960B (en) * | 2022-01-24 | 2024-04-30 | 东华大学 | ARP attack detection method based on single source field expansion and priori parameter migration |
| CN117649672A (en) * | 2024-01-30 | 2024-03-05 | 湖南大学 | Font type visual detection method and system based on active learning and transfer learning |
| CN117649672B (en) * | 2024-01-30 | 2024-04-26 | 湖南大学 | Font type visual detection method and system based on active learning and transfer learning |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109462610A (en) | A kind of network inbreak detection method based on Active Learning and transfer learning | |
| Qu et al. | A survey on the development of self-organizing maps for unsupervised intrusion detection | |
| Yu et al. | PBCNN: Packet bytes-based convolutional neural network for network intrusion detection | |
| Li et al. | An effective data augmentation strategy for CNN-based pest localization and recognition in the field | |
| CN101582813B (en) | Distributed migration network learning-based intrusion detection system and method thereof | |
| CN109218223B (en) | Robust network traffic classification method and system based on active learning | |
| CN109347834A (en) | Detection method, device and the equipment of abnormal data in Internet of Things edge calculations environment | |
| CN106817248A (en) | A kind of APT attack detection methods | |
| CN109143848A (en) | Industrial control system intrusion detection method based on FCM-GASVM | |
| CN107368856A (en) | Clustering method and device, the computer installation and readable storage medium storing program for executing of Malware | |
| CN110414223A (en) | A kind of attack detection method and device | |
| Kamalov et al. | Orthogonal variance-based feature selection for intrusion detection systems | |
| CN111741471B (en) | Intrusion detection method and device based on CSI and computer storage medium | |
| Xu et al. | [Retracted] DDoS Detection Using a Cloud‐Edge Collaboration Method Based on Entropy‐Measuring SOM and KD‐Tree in SDN | |
| CN113705604A (en) | Botnet flow classification detection method and device, electronic equipment and storage medium | |
| CN106874762A (en) | Android malicious code detecting method based on API dependence graphs | |
| CN112468498B (en) | Cross-mode polymerization method for multi-source heterogeneous safety monitoring data of power distribution terminal | |
| CN114978593B (en) | Graph matching-based encrypted traffic classification method and system for different network environments | |
| Elrawy et al. | IDS in telecommunication network using PCA | |
| Sebastian | Enhancing Intrusion Detection In Internet Of Vehicles Through Federated Learning | |
| Amudha et al. | Intrusion detection based on core vector machine and ensemble classification methods | |
| Jain et al. | A novel distributed semi-supervised approach for detection of network based attacks | |
| CN114398524A (en) | Encryption traffic classification method based on twin neural network | |
| Song et al. | A clustering algorithm incorporating density and direction | |
| Zou et al. | DePL: Detecting privacy leakage in DNS-over-HTTPS traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190312 |
|
| RJ01 | Rejection of invention patent application after publication |