Journal of Electrical and Computer Engineering

Volume 2016 (2016), Article ID 3095971, 6 pages

http://dx.doi.org/10.1155/2016/3095971

## SVM Intrusion Detection Model Based on Compressed Sampling

^{1}College of Computer and Information Science, Southwest University, Chongqing 400715, China^{2}Chongqing City Management Vocational College, Chongqing 400055, China

Received 2 October 2015; Accepted 20 January 2016

Academic Editor: Michele Vadursi

Copyright © 2016 Shanxiong Chen et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Intrusion detection needs to deal with a large amount of data; particularly, the technology of network intrusion detection has to detect all of network data. Massive data processing is the bottleneck of network software and hardware equipment in intrusion detection. If we can reduce the data dimension in the stage of data sampling and directly obtain the feature information of network data, efficiency of detection can be improved greatly. In the paper, we present a SVM intrusion detection model based on compressive sampling. We use compressed sampling method in the compressed sensing theory to implement feature compression for network data flow so that we can gain refined sparse representation. After that SVM is used to classify the compression results. This method can realize detection of network anomaly behavior quickly without reducing the classification accuracy.

#### 1. Introduction

With the rapid development of network technology, various Internet-based technologies are widely applied in various industries, leading to great improvement of productive forces. People are enjoying convenience and efficiency brought about by network, and a variety of potential threats are jeopardizing the security of network communication at the same time. At the beginning of network design, people paid more attention to data transmission efficiency and communication convenience and paid less attention to the security of network protocol [1]. Many network protocols are lacking secure communication mechanism; thus, there are naturally a lot of security vulnerabilities in Internet based on these network protocols [2, 3]. With the development of e-commerce, e-government affairs, and other businesses having high demand for security, a variety of network-based security communication protocols appeared, but these protocols are based on TCP/IP architecture, which is a kind of unsafe open system from the basic communication layer [4]. The existing attack techniques and technologies have unceasingly developed with the enhancement of security technology, so in the case of all kinds of inevitable network threats, a current research hotspot on network security is to timely and correctly detect security threats and to take appropriate treatment, so as to reduce the loss caused by network attacks [5–7].

Compressed sensing is a new data processing theory; there are many important applications in medical image [8] and signal processing [9], communications [10], harmonic detection [11], and so forth. Data acquisition and processing method of compressed sensing theory give rise to great performance improvement of intrusion detection technology [12, 13]. Currently, massive data processing is the performance bottleneck of network software and hardware equipment. In the phase of data acquisition, if the dimension of data can be reduced and characteristic information of network data can be directly obtained, the efficiency of the detection will be greatly improved [14, 15]. SVM intrusion detection technology based on compressed sensing uses the compressed sampling technology of compressed sensing theory to get a small amount of data concerning network behavior characteristics and then uses the support vector machine (SVM) to establish an intrusion detection model, so as to realize rapid judgment of intrusion behavior.

#### 2. Compressed Sensing Theory

If there are only nonzero elements in a discrete signal, the signal is considered to be sparse. In view of a nonsparse discrete signal , the signal can obtain the sparse or nearly sparse representation in the condition of a proper sparse base :

is the sparse or nearly sparse representation of signal . According to the CS (compressed sensing) theory, the sampling process of discrete signal is described as below: The signal with a length of is projected times on the sensing matrix , and then the compressed form of the signal can be obtained [16]. Its expression is , . In order to improve the efficiency of sampling, the frequency of sampling should be reduced as much as possible; usually, . It can be seen that the length of is less than that of , so it is called compressed sensing. It is different from traditional data acquisition method that includes acquisition, compression, transmission, and decompression; the compressed sensing theory merely collects the information that best represents data characteristic rather than obtaining a complete signal and high resolution images. Compressed sampling method saves storage space and reduces transmission cost to a great extent. The biggest difference between compressed sensing and traditional data sampling mode is that compressed sensing has realized the compression in the process of data acquisition and reconstruction in the later phase; the traditional mode is to collect complete data information first and then to compress data for storage and transmission. Therefore, the CS theory provides an undersampling mode for data acquisition and can get information in the slower rate compared to Nyquist. The mathematical model of compressed sensing is expressed as below.

For signal , find a linear measurement matrix () for projection algorithmwhere represents the collected signals. The crux of the problem is to recover signal from signal , and Φ is not a square matrix (), so it gets involved in a problem of solving an underdetermined equation. And to be solved can have a solution set. Furthermore, the compressed sensing theory shows that, under the specific conditions, is the uniqueness solution, and this solution is obtained through reconstructing that is acquired by compressed sampling [17, 18].

Equation (2) shows the signal sampling mode, and the CS theory suggests that the solution of (2) must ensure that is sparse, so as to solve the equation through 0 norm minimization problem. In reality, most of the signals are not sparse. The existing theory shows that when a signal is projected on the orthogonal transformation matrix, the absolute value of most transform coefficients is small [19], and the obtained transform vector is sparse or approximately sparse, which is considered as a concise expression of original signal, a prior condition of compressed sensing; namely, the signal must have a sparse representation under some type of transformation. Therefore, sparse transformation base is established, and the sparse representation of nonsparse signals is completed according to (1). Combined with (1) and (2), compression sampling of the signal can be described as below: equation (2) is used for compressed sampling of the signal to obtain , and then (4) is used for sparse solution; ultimately, is used for sparse inverse transformation, so as to reconstruct the signal . Considerwhere , which is still an underdetermined equation; however, under certain constraints, is used to solve . Of course, if the signal is sparse, there is no need for sparse transformation; at this point . In compressed sensing, the signal needs to meet the conditions; one constraint condition is sparse representation, and the other important one is to satisfy the RIP (Restricted Isometry Property) [20]; namely, there is a restricted isometry constant for the matrix .

is defined as the minimum value to make the equation true. Consider

Herein represents -order sparse vector.

#### 3. SVM Intrusion Detection Model Based on Compressed Sensing

The SVM intrusion detection method based on compressed sensing is to carry out compressed sampling of the tagged training dataset, so as to obtain compressed characteristic data and then to input it into SVM classifier for training, so as to obtain the classification model. In the detection phase, carry out compressed sampling of the untagged dataset, and then reuse the built SVM classification model to classify data, to obtain normal or abnormal access behaviors, and then reconstruct the detected data of normal behaviors, to obtain the complete normal network data flow.

As shown in Figure 1, the steps for intrusion detection based on compressed sensing include the following:(1)Pretreatment of dataset: the compressed sensing theory is to directly sample vector data, so training data and testing data should be expressed in the form of vector.(2)Selection of proper measurement matrix and sparse matrix: measurement matrix and sparse base should meet the conditions of RIP, and data resulting from their compressed sampling must effectively express the original data at the same time.(3)Construction of the SVM classifier: the SVM classifier can use compressed sampling to obtain low-dimensional data, so as to complete classification training, and testing dataset has high detection precision.(4)After performing detection, if network access is normal, the reconstruction algorithm is used to restore detection data to full form before sampling.