第4期 李卫东等：一种多标准决策树剪枝方法及其在入侵检测中的应用 .431. 法，并应用于网络入侵检测，文献[9]利用决策树对 Bramer M A.Proceedings of Expert Systems'86.the Sixth An- 传统的基于协议分析的入侵检测方法进行了改进 nual Technical Conference of the British Computer Society Spe- cialist Group on Expert Systems.Brighton:Cambridge University 这些工作基本上都是直接利用传统的决策树对基于 Press,1987:25 模式匹配的入侵检测方法进行改进，虽然在误报率 [4]Breiman L,Friedman J.Olshen R.et al.Classification and Re- 和错报率方面有所改善，但无法根据具体需求产生 gression Trees-Belmont:Wadsworth.1984:1 不同的决策树，与这些工作相比，本文提出的算法 [5]姜欣，徐六通，张雷.C4.5决策树展示算法的设计.计算机工 在灵活性上，以及在多个决策树的同时使用上有一 程与应用，2003,4：96 定的优势 [6]Esposito F,Malerba D.Semeraro G.A comparative analysis of methods for pruning decision trees.IEEE Trans Pattern Anal 4结论 lach Intel,1997,19(5):476 [7]Baik S,Bala J.A decision tree algorithm for distributed data min- 本文提出的剪枝方法，可以使决策树软件更具 ing:towards network intrusion detection//Lagan A.Proceedings 有适应性和鲁棒性，尤其是一个系统中使用多个决 of the 2004 International Conference on Computational Science 策树的情况下可以灵活地调整每一棵树的表现，使 and Its Applications.Berlin:Springer,2004:206 [8]Amor N B.Benferhat S.Elouedi Z,et al.Decision trees and 每一个小部分工作在最佳状态，如何在分布式环境 qualitative possibilistic inference:application to the intrusion de- 下实现本方法，以及如何平衡参数的数量与算法复 tection problem//Nielsen T.Zhang N.Proceedings of 7th Euro- 杂度，是进一步的工作方向· pean Conference on Symbolic and Quantitative Approaches to Rea- soning with Uncertainty.Berlin:Springer.2003:419 参考文献 [9]Abbes T,Bouhoula A.Rusinowitch M.Protocol analysis in in [1]Quinlan J R.Induction of decision tree.Mach Learn.1986,1 trusion detection using decision treeIEEE Proceedings of the In (1):81 ternational Conference on Information lechnology:Coding and [2]Quinlan J R.C4.5:Programs for Machine Learning.San Ma- Computing Las Vegas:Institute of Electrical and Electronics En- teo:Morgan Kaufmann Publishers Inc,1993:302 gineers Computer Society,2004:404 [3]Niblett T,Bratko I.Learning decision rules in noisy domains// A multi-criterion pruning method for decision trees and its application in intrusion detection LI Weidong,SONG Wei),LI Xin2),YANG Bingru2) 1)Information Technology School.Hebei University of Economics and Business,Shijiazhuang 050061.China 2)Information Engineering School.University of Science and Technology Beijing.Beijing 100083.China ABSTRACI To improve the applicability of decision trees,a multi-criterion pruning method was proposed for the application of decision trees in intrusion detection,which enabled decision trees suitable for different condi- tions by parameter adjustment.Several parameters for describing the performance of a decision tree,such as sta- bility,complexity and classification ability,were proposed.To meet the needs of different applications,the de- cision tree was expressed as a vector.Weights of different components of the vector could be adjusted according to the fact,and the required decision tree could be built gradually.Experimental results show that the proposed method can rapidly construct different decision trees according different specific environments,thus one program can be used in different conditions.The approach changes the creator of a decision tree from a programmer to a user,so the program is more suitable and the result is more reasonable. KEY WORDS intrusion detection:decision tree;pruning:stability;complexity:classification ability法‚并应用于网络入侵检测．文献［9］利用决策树对 传统的基于协议分析的入侵检测方法进行了改进． 这些工作基本上都是直接利用传统的决策树对基于 模式匹配的入侵检测方法进行改进‚虽然在误报率 和错报率方面有所改善‚但无法根据具体需求产生 不同的决策树．与这些工作相比‚本文提出的算法 在灵活性上‚以及在多个决策树的同时使用上有一 定的优势． 4 结论 本文提出的剪枝方法‚可以使决策树软件更具 有适应性和鲁棒性‚尤其是一个系统中使用多个决 策树的情况下可以灵活地调整每一棵树的表现‚使 每一个小部分工作在最佳状态．如何在分布式环境 下实现本方法‚以及如何平衡参数的数量与算法复 杂度‚是进一步的工作方向． 参 考 文 献 ［1］ Quinlan J R．Induction of decision tree．Mach Learn‚1986‚1 （1）：81 ［2］ Quinlan J R．C4∙5：Programs for Machine Learning．San Ma￾teo：Morgan Kaufmann Publishers Inc‚1993：302 ［3］ Niblett T‚Bratko I．Learning decision rules in noisy domains∥ Bramer M A．Proceedings of Expert Systems’86‚the Sixth An￾nual Technical Conference of the British Computer Society Spe￾cialist Group on Expert Systems．Brighton：Cambridge University Press‚1987：25 ［4］ Breiman L‚Friedman J‚Olshen R‚et al．Classification and Re￾gression Trees．Belmont：Wadsworth‚1984：1 ［5］ 姜欣‚徐六通‚张雷．C4∙5决策树展示算法的设计．计算机工 程与应用‚2003‚4：96 ［6］ Esposito F‚Malerba D‚Semeraro G．A comparative analysis of methods for pruning decision trees．IEEE Trans Pattern Anal Mach Intell‚1997‚19（5）：476 ［7］ Baik S‚Bala J．A decision tree algorithm for distributed data min￾ing：towards network intrusion detection∥Lagan A．Proceedings of the 2004 International Conference on Computational Science and Its Applications．Berlin：Springer‚2004：206 ［8］ Amor N B‚Benferhat S‚Elouedi Z‚et al．Decision trees and qualitative possibilistic inference：application to the intrusion de￾tection problem∥Nielsen T‚Zhang N．Proceedings of 7th Euro￾pean Conference on Symbolic and Quantitative Approaches to Rea￾soning with Uncertainty．Berlin：Springer‚2003：419 ［9］ Abbes T‚Bouhoula A‚Rusinowitch M．Protocol analysis in in￾trusion detection using decision tree∥IEEE Proceedings of the In￾ternational Conference on Information Iechnology：Coding and Computing．Las Vegas：Institute of Electrical and Electronics En￾gineers Computer Society‚2004：404 A mult-i criterion pruning method for decision trees and its application in intrusion detection LI Weidong 1）‚SONG Wei 2）‚LI Xin 2）‚Y A NG Bingru 2） 1） Information Technology School‚Hebei University of Economics and Business‚Shijiazhuang050061‚China 2） Information Engineering School‚University of Science and Technology Beijing‚Beijing100083‚China ABSTRACT To improve the applicability of decision trees‚a mult-i criterion pruning method was proposed for the application of decision trees in intrusion detection‚which enabled decision trees suitable for different condi￾tions by parameter adjustment．Several parameters for describing the performance of a decision tree‚such as sta￾bility‚complexity and classification ability‚were proposed．To meet the needs of different applications‚the de￾cision tree was expressed as a vector．Weights of different components of the vector could be adjusted according to the fact‚and the required decision tree could be built gradually．Experimental results show that the proposed method can rapidly construct different decision trees according different specific environments‚thus one program can be used in different conditions．The approach changes the creator of a decision tree from a programmer to a user‚so the program is more suitable and the result is more reasonable． KEY WORDS intrusion detection；decision tree；pruning；stability；complexity；classification ability 第4期 李卫东等： 一种多标准决策树剪枝方法及其在入侵检测中的应用 ·431·