基于GR-AD-KNN算法的IPv6网络DoS入侵检测技术研究

Research on DoS Intrusion Detection Technology of IPv6 Network Based on GR-AD-KNN Algorithm

随着IPv6网络流量的快速增加和复杂化,传统入侵检测系统Snort是基于具体规则对DoS攻击进行检测的,这降低了IDS的检测性能。为了解决IPv6网络环境下的DoS入侵检测问题,采用了机器学习中的轻量级KNN的优化算法。首先,通过信息增益率实现特征的双重降维,针对具有较多类型子特征的离散特征进行选择和聚合,以实现进一步降维,减小实际运算的特征维度。其次,利用信息增益率作为优化样本欧氏距离测量的权重。基于所提出的反向距离影响力的度量指标,对KNN算法的分类决策算法进行了优化,使检测技术的效果得到进一步提高。实验结果表明,相比传统基于平均距离的TAD-KNN算法和仅优化距离定义的GR-KNN算法,GR-AD-KNN算法在IPv6网络流量特征检测中不仅可以提升整体检测性能,同时还对小群体样本分类拥有更好的检测效果。

With IPv6 network traffic rapidly increasing,the traditional intrusion detection systems,such as Snort,based on speci-fic rules to detect DoS intrusion attacks,have the poor performance and adaptability in detecting DoS attacks.In order to solve the problem of detecting DoS attacks in IPv6,the KNN algorithm is improved in this paper.First,in order to decrease the number of low influential sub-features of discrete type features,the approach of selecting and clustering of sub-feature is implemented by information gain ratio,which can decrease the number of features and improve the efficiency in detecting DoS attack in IPv6.Se-cond,the improved algorithm GR-AD-KNN using information gain ratio as the weight of features to change Euclidean distance is proposed to achieve DoS attack detection.Based on a metric about reverse distance influence,the classification decision method in KNN algorithm is optimized,then the accuracy of detection approach is further improved.Experiments show that,compared with the TAD-KNN algorithm based on the average distances to classify attacks and the GR-KNN algorithm which only optimizes the Euclidean distance definition,the GR-AD-KNN algorithm not only improves the overall detection performance in IPv6 network traffic features detection,but also has better detection results on small population attack samples.