SVM Intrusion Detection Model Based on Compressed Sampling

Intrusion detection needs to deal with a large amount of data; particularly, the technology of network intrusion detection has to detect all of network data. Massive data processing is the bottleneck of network software and hardware equipment in intrusion detection. If we can reduce the data dimension in the stage of data sampling and directly obtain the feature information of network data, efficiency of detection can be improved greatly. In the paper, we present a SVM intrusion detection model based on compressive sampling. We use compressed sampling method in the compressed sensing theory to implement feature compression for network data flow so that we can gain refined sparse representation. After that SVM is used to classify the compression results. This method can realize detection of network anomaly behavior quickly without reducing the classification accuracy.


Introduction
With the rapid development of network technology, various Internet-based technologies are widely applied in various industries, leading to great improvement of productive forces.People are enjoying convenience and efficiency brought about by network, and a variety of potential threats are jeopardizing the security of network communication at the same time.At the beginning of network design, people paid more attention to data transmission efficiency and communication convenience and paid less attention to the security of network protocol [1].Many network protocols are lacking secure communication mechanism; thus, there are naturally a lot of security vulnerabilities in Internet based on these network protocols [2,3].With the development of ecommerce, e-government affairs, and other businesses having high demand for security, a variety of network-based security communication protocols appeared, but these protocols are based on TCP/IP architecture, which is a kind of unsafe open system from the basic communication layer [4].The existing attack techniques and technologies have unceasingly developed with the enhancement of security technology, so in the case of all kinds of inevitable network threats, a current research hotspot on network security is to timely and correctly detect security threats and to take appropriate treatment, so as to reduce the loss caused by network attacks [5][6][7].
Compressed sensing is a new data processing theory; there are many important applications in medical image [8] and signal processing [9], communications [10], harmonic detection [11], and so forth.Data acquisition and processing method of compressed sensing theory give rise to great performance improvement of intrusion detection technology [12,13].Currently, massive data processing is the performance bottleneck of network software and hardware equipment.In the phase of data acquisition, if the dimension of data can be reduced and characteristic information of network data can be directly obtained, the efficiency of the detection will be greatly improved [14,15].SVM intrusion detection technology based on compressed sensing uses the compressed sampling technology of compressed sensing theory to get a small amount of data concerning network behavior characteristics and then uses the support vector machine (SVM) to establish an intrusion detection model, so as to realize rapid judgment of intrusion behavior.

Compressed Sensing Theory
If there are only  nonzero elements in a discrete signal, the signal is considered to be  sparse.In view of a nonsparse discrete signal , the signal can obtain the sparse or nearly sparse representation in the condition of a proper sparse base Ψ ∈  × :  = Ψ. (1) is the sparse or nearly sparse representation of signal .According to the CS (compressed sensing) theory, the sampling process of discrete signal is described as below: The signal  with a length of  is projected  times on the sensing matrix Φ {Φ  ,  = 1, 2, . . ., }, and then the compressed form of the signal can be obtained [16].Its expression is   = Φ   ,  = 1, 2, . . ., .In order to improve the efficiency of sampling, the frequency of sampling should be reduced as much as possible; usually,  < .It can be seen that the length of  is less than that of , so it is called compressed sensing.It is different from traditional data acquisition method that includes acquisition, compression, transmission, and decompression; the compressed sensing theory merely collects the information that best represents data characteristic rather than obtaining a complete signal and high resolution images.Compressed sampling method saves storage space and reduces transmission cost to a great extent.The biggest difference between compressed sensing and traditional data sampling mode is that compressed sensing has realized the compression in the process of data acquisition and reconstruction in the later phase; the traditional mode is to collect complete data information first and then to compress data for storage and transmission.Therefore, the CS theory provides an undersampling mode for data acquisition and can get information in the slower rate compared to Nyquist.The mathematical model of compressed sensing is expressed as below.
For signal  ∈  ×1 , find a linear measurement matrix Φ ∈  × ( < ) for projection algorithm where represents the collected signals.The crux of the problem is to recover signal  from signal , and Φ is not a square matrix ( < ), so it gets involved in a problem of solving an underdetermined equation.And  to be solved can have a solution set.Furthermore, the compressed sensing theory shows that, under the specific conditions,  is the uniqueness solution, and this solution is obtained through reconstructing  that is acquired by compressed sampling [17,18].Equation (2) shows the signal sampling mode, and the CS theory suggests that the solution of (2) must ensure that  is sparse, so as to solve the equation through 0 norm minimization problem.In reality, most of the signals are not sparse.The existing theory shows that when a signal is projected on the orthogonal transformation matrix, the absolute value of most transform coefficients is small [19], and the obtained transform vector is sparse or approximately sparse, which is considered as a concise expression of original signal, a prior condition of compressed sensing; namely, the signal must have a sparse representation under some type of transformation.Therefore, sparse transformation base Ψ is established, and the sparse representation of nonsparse signals is completed according to (1).Combined with ( 1) and ( 2), compression sampling of the signal  can be described as below: equation ( 2) is used for compressed sampling of the signal  to obtain , and then ( 4) is used for  sparse solution; ultimately,  is used for sparse inverse transformation, so as to reconstruct the signal .Consider where Θ = ΦΨ, which is still an underdetermined equation; however, under certain constraints,  is used to solve .Of course, if the signal is sparse, there is no need for sparse transformation; at this point Θ = Φ.In compressed sensing, the signal needs to meet the conditions; one constraint condition is sparse representation, and the other important one is to satisfy the RIP (Restricted Isometry Property) [20]; namely, there is a restricted isometry constant   for the matrix Θ.   is defined as the minimum value to make the equation true.Consider Herein V  represents -order sparse vector.

SVM Intrusion Detection Model Based on Compressed Sensing
The SVM intrusion detection method based on compressed sensing is to carry out compressed sampling of the tagged training dataset, so as to obtain compressed characteristic data and then to input it into SVM classifier for training, so as to obtain the classification model.In the detection phase, carry out compressed sampling of the untagged dataset, and then reuse the built SVM classification model to classify data, to obtain normal or abnormal access behaviors, and then reconstruct the detected data of normal behaviors, to obtain the complete normal network data flow.As shown in Figure 1, the steps for intrusion detection based on compressed sensing include the following: (1) Pretreatment of dataset: the compressed sensing theory is to directly sample vector data, so training data and testing data should be expressed in the form of vector.
(2) Selection of proper measurement matrix and sparse matrix: measurement matrix and sparse base should meet the conditions of RIP, and data resulting from their compressed sampling must effectively express the original data at the same time.
(3) Construction of the SVM classifier: the SVM classifier can use compressed sampling to obtain lowdimensional data, so as to complete classification training, and testing dataset has high detection precision.
(4) After performing detection, if network access is normal, the reconstruction algorithm is used to restore detection data to full form before sampling.

Experiments and Analysis
The experiments used KDD CUP99 dataset.The dataset was collected in a network environment which was established in MIT Lincoln Laboratory, simulating local area network (LAN) of the US Air Force.It includes 9-week TCP dump network connections and system audit data, simulating various types of users, network traffic, and attack technique.
The compressed sensing theory request data must be expressed in the form of vector; therefore, each nonnumerical attribute must be converted into a numerical value, and herein the numerical value can simply replace category attributes.Furthermore, in order to eliminate the influence of characteristic dimension on the experimental results, continuous data need to be standardized.The following equation is used for standardization. = {  |  = 1, . . ., ,  = 1, . . ., } is input data,  represents the number of sample datasets, and  represents the characteristic digit of sample data,  represents mean value, and  is standard deviation of the sample.Therefore, the normalization expression of sample data is as below: where In order to clearly observe the experimental results, we introduced the following indicators for detection performance.
Detection rate refers to the ratio between the number of correct attack datasets detected in the testing set and the number of total actual attack datasets; that is, the equation is as below: DR = the number of attacks detected the number of attacks %.
False positive rate refers to the ratio between the number of attack datasets being identified by mistake after the test set is detected through the algorithm and the number of total attack datasets detected; that is, the equation is as below: FPR = the number of false positive false positive + true positive %.
The experiments adopted 10% training subsets of the KDD CUP99 dataset as training data of the classifier and the test subset tagged correct as test data.We first considered the classifier learning and detection without compressed sampling and then carried out compressed sampling of training data and test data and input it into the SVM classifier for learning and detection.The experimental procedure is as follows: (1) We extract test data from 10% training subsets of the KDD CUP99 dataset.Compressed sampling is to deal with numeric data; it is required to convert nonnumeric data into numeric data in the procedure, except data with attack attribute; namely, attack-type data cannot be converted to numeric data; otherwise, attack-type data cannot be recognized.So the corresponding relation between attribute value of attacktype data and each record should be kept.
(2) The KDD CUP99 dataset refers to normal and attack data collected for a long time; from the perspective of the entire data sample, there is a small number of attack datasets, so the standardized dataset is a sparse set, the formed matrix is a sparse matrix, and there is no need for sparsification.
(3) In the experiment, multiple measurement matrices are directly used for compressed sampling of training set: Gaussian random matrix, random Bernoulli matrix, partial Hadamard measurement matrix, Toeplitz measurement matrix, structure random matrix, and Chirp measurement matrix.
(4) The compressed data obtained are, respectively, input into the SVM-constructed classifier for training, thus forming a training model.
(5) The corrected subsets of KDD CUP99 dataset are selected as test set.Herein carry out normalized conversion of test data; namely, convert nonnumeric data into numerical data for compressing sampling, and then input compressed data into the training model for detection.
Table 1 shows the results of using the SVM-constructed classifier for intrusion detection of different sampling matrixes through 30 times of sampling.
Table 1 showed the results of using the compressed sampling method for intrusion detection and of using the noncompressed sampling method to directly input it into the classifier for training and detection.It can be seen from Table 1 that the results obtained through two methods were similar.For the traditional method of compressed sampling, the detection rate of five types, that is, Normal, Probe, Dos, U2R and R2L, was more than 98% except that of U2R.Under the condition of compressed sensing, the detection rate obtained by using different sampling matrixes was around 98%.Only the detection rate obtained by using the compressed sampling method for U2R attack-type data was lower, and the false positive rate was higher.After further analysis, it was found that the traditional method for U2R attack-type data had a low detection rate, which was related to dataset itself, less U2R type data, and deviation of the training model.In reality, the use of compressed sensing method cannot greatly improve the detection rate but can increase the efficiency of training and detection by reducing dimension data.Figure 2 showed training and detection time under different sampling matrixes after 30 times of sampling.
Figure 2 showed that, after the method of compressed sampling was used for information processing of KDD CUP99 dataset, time used for training and inspection was reduced.In particular, it can be found that for data obtained through using the Gaussian random matrix for compressed sampling its training and detection time is decreased greatly for four classifiers of detection.
Besides attack-type attribute, the KDD CUP99 dataset has 41D characteristics, and matrixes are used for compressed sampling of 41D characteristics.However, compressed sampling also affects detection precision.In theory, the higher the degree of compression is, the shorter the model's training and detection time is, affecting detection precision.In further experiments, we analyzed the relationship between compression degree and detection precision.For convenience of representation, the detection rate for DoS attack was selected for analysis.In the experiments, there are six sampling matrixes, respectively, under different sampling frequencies, so SVM method was used to obtain the detection rate of the corrected dataset according to sampling matrixes.Sampling frequencies were 10, 15, 20, . . ., 40.The dimension of KDD CUP99 data was 41D, so there was basically no compressed sampling under the condition of sampling frequency of 40.
It can be seen from Figure 3 that, under the condition of low sampling frequency, the SVM-constructed classifier had lower DoS detection precision.Based on the compressed sensing theory, in order to perfectly express data, sampling frequency  must have particular relations; that is,  ≥  ⋅  ⋅ log .In general, four times of data sparseness are selected as the sampling frequency.The figure showed that, under the low sampling frequency, the detection rate was lower; with the increase of sampling frequency, the detection rate was increased accordingly.When the sampling frequency was up to 30 or so, the detection rate tended to be stable.At this time, the low-dimensional data obtained through compressed sampling of KDD CUP99 dataset can effectively express the original high-dimensional data.Thus, DoS detection rate is approximate to the detection rate obtained by using the method of noncompressed sampling.However, with the further increase of sampling frequency, there was no significant change of detection rate.

Conclusion
Intrusion detection needs to deal with massive network data, leading to low detection efficiency.In the paper, the compressed sensing technology was applied to realize network data compression, and the SVM method was used to anomalously detect the compressed data.We have arrived at a conclusion that, relative to direct use of the classifier for learning and detection of training set and testing set, the intrusion detection model established through compressed sensing had no significant change of detection rate and false positive rate, but training and detection time was greatly reduced, which is the key to detect network data flow.A large number of network datasets need rapid and real-time detection, so it can be seen that intrusion detection based on compressed sensing has provided a real-time network security protection mechanism.

Figure 1 :
Figure 1: Intrusion detection process based on compressed sensing.

Figure 2 :
Figure 2: Training and detection time.

Figure 3 :
Figure 3: Detection rate of the -nearest neighbor algorithm as a classifier for DoS attack.

Table 1 :
Detection result of the support vector machine (SVM) as the classifier.