Condition Elements Extraction based on PCA Attribute Reduction

and Xgboost

Luzhe Cao

1

, Jinxuan Cao

1

, Haoran Yin

1

, Yongcheng Duan

1

and Xueyan Wu

2

1

College of Information Technology and Network Security, People's Public Security University of China, Beijing, China

2

College of Law and Criminology, People's Public Security University of China, Beijing, China

Keywords: Situation Elements, Situation Elements Extraction, Principal Component Analysis, Xgboost.

Abstract: In order to solve the problems of high data redundancy, unsatisfactory classification effect and low precision

rate of situation elements extraction in large-scale network, a algorithm that extraction of situation elements

based on PCA attribute reduction and Xgboost is proposed. Firstly, PCA is used to reduce the attributes of

the data set, and then Xgboost classifier is constructed to classify and train the data after dimension reduction.

In order to verify the effectiveness of the proposed algorithm, NSL-KDD data set was used to test the

proposed algorithm. Through experiments, this algorithm is compared with SVM and other five algorithms.

The experimental results show that the precision rate of the algorithm is greatly improved and the extraction

of situation elements is effectively improved.

1

INTRODUCTION

Network security situation awareness is an insight

into the overall security situation of complex and

heterogeneous networks, aiming at obtaining,

analyzing and predicting the development trend of

elements related to network security. Network

security situation awareness includes three parts:

situation extraction, situation assessment and

situation prediction

（

Qi Ben et al., 2017

）

. Situation

extraction is the premise of situation assessment and

situation prediction. It aims to extract and analyze

factors that influence network security through

screening a large amount of data, and finally form

situation elements.

With a view to the problem of situation elements

extraction, many scholars have made some studies.

American Bass first proposed situation awareness

and obtained situation elements by refining data,

objects and situations (Bass T, 2016).

In order to

solve the problem of situation factor extraction, an

extraction technique based on conception is

proposed. The hierarchical framework is established

through the enhanced probabilistic neural network to

solve the problem that extraction of situation

elements (Li Fangwei et al., 2017).

Li dongyin

improved the precision rate of situation elements

acquisition by establishing improved particle swarm

optimization algorithm and logistic regression

algorithm, neighborhood rough set technology and

situation elements extraction model of MapReduce

distributed framework (Li Dongyin, 2014).

Liu

xiaowu proposed a fusion-based situational

awareness control model for network security and

improved the ability of perceived threat through

hierarchical situational awareness (Liu Xiaowu et al.,

2016).

It can extract situation elements effectively by

constructing the knowledge based on ontology

model (Si cheng et al., 2015).

In view of the need of

prior knowledge in the extraction process of situation

elements, this paper introduced the idea of parallel

reduction on rough set, removes redundant attributes,

and realized the efficient extraction of situation

elements (Zhao Dongmei et al., 2017).A deep self-

coding algorithm is proposed to extract situation

elements to solve the problems of high time

complexity and low classification precision rate (Zhu

Jiang

et al., 2017).

The above research algorithms have achieved

certain results in specific fields. However, data

collected in complex network environments often

has too many dimensions and redundant attributes,

so it is particularly important to reduce dimensions

and redundancy. Therefore, this paper proposes a

algorithm of situation elements extraction based on

PCA (Principal Component Analysis) attribute

reduction and Xgboost (eXtreme Gradient

Boosting).On the one hand, PCA is introduced into

the extraction of network situation elements and

redundant attributes in the data are deleted through

Cao, L., Cao, J., Yin, H., Duan, Y. and Wu, X.

Condition Elements Extraction based on PCA Attribute Reduction and Xgboost.

DOI: 10.5220/0009370002430248

In Proceedings of the 5th International Conference on Internet of Things, Big Data and Security (IoTBDS 2020), pages 243-248

ISBN: 978-989-758-426-8

Copyright

c

2020 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved

243

PCA. On the other hand, the Xgboost classifier is

used for classification training of processed data to

improve the precision rate and effectively improve

the work of situation elements extraction.

2 NETWORK SECURITY

SITUATION ELEMENTS

EXTRACTION

2.1 The Concept of Network Security

Situation Elements

Network security incident refers to a series of

abnormal activities that threaten the operation of

computer network and application system. Network

security situation elements are some internal factors

that cause the occurrence and change of these

security events (Wang sen, 2017).The sources of

security data often have the characteristics of

diversification, they involve a large number of

heterogeneous format information and come from

different devices to network security (Chen y,

2019) .Therefore, in order to have a great effect in

network security protection and the network security

state, it is necessary to focus on the work related to

situation elements. Figure 1 represents the existing

form of situation elements.

Network

environment

safetysecurityincidentsituation elements

Figure 1: Existence form of situation elements.

2.2 The Basic Process of Extracting

Network Security Situation

Elements

The extraction of network security situation elements

refers to collect multi-source heterogeneous data and

analyze these elements in a complex network

environment. In the analysis stage, according to the

established rules, the collected data should be

processed to obtain the basic elements that affect

network security (Guo Jian, 2011).Common

situation elements include data generated by system

operation, data generated by network equipment

(including state information of network equipment

itself and data generated during network equipment

operation) and data generated during network attack.

The key task of situation factor extraction is to find

abnormal behaviors or risk factors in these data

accurately and screen out valuable data (Li Hong,

2017) .In the process of extraction, it is necessary to

conduct attribute reduction for situation factor data,

delete redundant attributes and conduct classification

training. Figure 2 shows the basic flow of situation

elements extraction.

original

data

attribute

reduction

Classification

training

module

situation

elements

Reduction

rules

classification

rules

Figure 2: Basic process of situation elements extraction.

The core of situation elements extraction is to

carry out attribute reduction and data classification.

In the process of attribute reduction, it is necessary

to make comprehensive judgment on multiple

attributes in each piece of information and filter out

the important attributes through dimension reduction

or attribute fusion. In the classification training

module, trainers can be constructed through different

classification rules to train the data after attribute

reduction.

This paper uses PCA on data attribute reduction.

PCA is an algorithm that used in machine learning

dimension reduction commonly. By constructing a

set of orthogonal basis, it will project high dimension

data to a plane, reduce the dimension of data. PCA

minimizes the variance between the principal axis

and the data point by translating the origin of

coordinates and rotating the axes. After the

coordinate transformation, the orthogonal axis with

high variance is removed and the reduced dimension

data set is obtained. This algorithm not only reduces

the dimensions of the data but also preserves most of

the information in the original higher-dimensional

data.

Select Xgboost as the classifier in the

classification training module. Xgboost is an

improvement of the GBDT (Gradient Boosting

Decision Tree) algorithm. GBDT is an iterative

IoTBDS 2020 - 5th International Conference on Internet of Things, Big Data and Security

244

decision tree algorithm in machine learning. It is an

algorithm based on classification and regression tree.

Compared with GBDT, Xgboost takes into account

the complexity of the tree when generating the CART

(Classification And Regression Tree) Tree.

Meanwhile, compared with GBDT, Xgboost uses the

second-derivative expansion and introduces

regularization terms when fitting the loss function to

prevent overfitting. It improves the algorithm

precision rate. Finally, the extraction of situation

elements is completed.

3 CONDITION ELEMENTS

EXTRACTION BASED ON PCA

ATTRIBUTE REDUCTION AND

Xgboost

The multi-source heterogeneous data in the network

has the characteristics of multi dimension and large

scale. Traditional algorithms in the process of

situational elements extraction need a lot of prior

knowledge. When the amount of data is too large, the

influence of subjective will reduce the precision rate

of the situational factors of extraction. Therefore it is

difficult to analyze data effectively and reliably. The

PCA attribute reduction and Xgboost algorithm is

proposed in this paper uses PCA to reduce the

dimension of data and convert multiple indicators

into fewer comprehensive indicators. Then the

Xgboost classifier is used to train and test the data

after sorting data. Finally

，

by completing the

extraction of situation elements, it increases the

precision rate of situation elements extraction.

3.1 PCA Attribute Reduction and

Xgboost Algorithm for Situation

Elements Extraction

PCA algorithm has a good capacity on data

processing, it can reduce the dimensionality of a

large number of complex redundant data and retain

the main information in the data while reducing the

redundancy. However, PCA is generally used for

dimensionality reduction of feature matrix, which is

not suitable for distinguishing different sample

classes. Therefore, its dimensionality reduction

advantage is not suitable for classification. Xgboost

has great advantages in classification, it also can

bring good classification effect and high precision

rate. Therefore, according to the characteristics of

PCA and Xgboost, an algorithm of situation elements

extraction based on PCA attribute reduction and

Xgboost is proposed to improve the classification

effect. The algorithm proposed in this paper is shown

in figure 3.

Rawdata

acquisition

Establish

theoriginal

datamatrix

PCA

attribute

reduction

Buildthe

Xgboost

classifier

model

Testthe

Xgboost

classifier

Thetest

results

Figure 3: Situation elements extraction algorithm based on

PCA attribute reduction and Xgboost.

The steps of the situation elements extraction

algorithm proposed in this paper are as follows:

1) The obtained original m n-dimensional data

are formed into n rows and m columns to establish

the original data matrix X.

2) PCA is used for attribute reduction to obtain

the optimized training samples.

3) According to the data characteristics after

attribute reduction, the Xgboost classifier is selected

to classify and process the data after dimension

reduction. Then it can obtain the Xgboost classifier

model for situation elements extraction.

4) Test the Xgboost classifier and get the

experimental results.

The specific steps for step 2 above are shown in

figure 4.

Removalmean

Calculatethe

covariance

matrix

Calculatethe

eigenvaluesand

eigenvectors

Selectthe

eigenvalue

Retained

eigenvector

Transformthe

data

Figure 4: PCA dimensionality reduction process for data.

3.2

The Specific Steps of PCA

Attribute Reduction

1) Subtract the average value of each row from the

generated data matrix.

2) Calculate the covariance matrix of the sample

matrix.

1

T

C

X

X

m

(1)

Condition Elements Extraction based on PCA Attribute Reduction and Xgboost

245

3) Find the eigenvalues and corresponding

eigenvectors of the covariance matrix C.

4) Rank the eigenvalues from high to small

。

Select

the first k eigenvalues and take the corresponding

eigenvectors of the k eigenvalues as row vectors to

form the eigenvector matrix P.

5) Construct Y=PX, and transform the data into a

new space constructed by k feature vectors, then get

the data reduced to k dimensions.

In the Step 1, the training sample set is processed

to obtain the decentralized sample matrix firstly.

Then, in the Step 2, the algorithm calculates the

covariance matrix C with the new sample matrix.

The covariance matrix C is a square matrix, in order

to calculate the eigenmatrix and eigenvector more

conveniently, the eigenvalue decomposition matrix

algorithm is used to realize the PCA algorithm in the

obtained covariance matrix. Because the noise in the

data often affects the smaller eigenvalues, the

dimension reduction can be achieved by discarding

the smaller eigenvalues.

3.3

Specific Steps for Xgboost

Classifier Training

1) Set the objective function of Xgboost round t as:

1

ˆ

,

1

n

t

lftc

Obj y y f

x

i

tiit

i

(2)

Where,

b

t

Oj

is the objective function of iteration t,

n is the number of samples,

l

is the loss function,

that is the difference between the predicted value and

the real value.

i

y

is the true value of the sample

data,

1

ˆ

t

i

y

is the predicted value of the model in

the t-1 iteration.

()

i

t

f

x

is the newly added function

and can also be understood as a decision tree that can

make the optimization effect better on the basis of

the model in the previous step (t-1). C is the constant

term generated in the calculation process.

2) According to the Taylor expansion of the

second order

1

'''

2

2

fx x fx x x x

ff

x

(3)

Set

1

ˆ

,

1

ˆ

t

l

yy

ii

g

t

t

y

i

(4)

1

2

ˆ

,

1

ˆ

t

yy

ii

h

t

t

y

i

(5)

By substituting

t

g

,

t

h

and

f

t

into

equation (2), the objective function is obtained by

recombining the leaf nodes and removing the

constant term.

1

2

b

2

1

n

T

Oj g

whw

ji

ti

j

ii i

ll

jj

(6)

3) The optimal weight w* and the optimal value

of the corresponding objective function are obtained.

*

g

i

i

l

j

w

j

h

i

i

l

j

(7)

2

1

2

1

g

i

i

T

l

j

Obj T

h

i

j

i

l

j

(8)

According to equation (8), the optimal decision tree

structure is built and the prediction is made.

4 EXPERIMENT AND ANALYSIS

4.1 The Data Set

In this paper, data set is the refined data set NSL-

KDD in the kdd-cup99 data set. Kdd-cup99 data set

is a simulation of the USAF LAN network

connection data for 9 weeks. It is divided into

training data and test data. The experimental data

consists of 41 condition attributes and 1 tag attribute.

The tag attribute types are Normal, DoS, Probe, U2R

and R2L.Table 1 shows the overall distribution of the

NSL-KDD dataset.

Table 1: Data distribution of NSL-KDD.

The data

set

Normal Dos The

Probe

U2R

The

training

set

66532 46335 12443 63

The test

set

9632 7546 2542 208

IoTBDS 2020 - 5th International Conference on Internet of Things, Big Data and Security

246

4.2

Experimental Algorithm and

Result Analysis

In the experiment, Weka3.9.2, an open source

machine learning tool based on JAVA environment

and a data mining tool, was adopted. In the

experiment, we imported the data into Weka3.9.2.

During processing, we processed the data in batches,

processing 100 pieces of data at a time. In the

experiment, Xgboost was selected for classification

in Classifier and PCA was selected for attribute

reduction in evaluatora to construct a Classifier. The

steps are as follows:

1

）

Firstly, a correlation matrix C is generated,

which has 121 rows and 121 columns. Through

observation, it can be seen that this matrix is a real

symmetric matrix. In this matrix the elements on the

main diagonal are all 1, representing the variance of

the dimension. The remaining elements represent the

covariance of the corresponding dimension.

2

）

Calculate the eigenvalues of the covariance

matrix. It can be found from the experimental results

that there are 89 eigenvalues of the calculated

covariance matrix, which have been arranged in a

column from large to small. The range of the

eigenvalues is [0.67, 9.64].

3

）

Generate the eigenvectors corresponding to

the eigenvalues. In the Eigenvector list, there are a

total of 89 eigenvectors from V1 to V89, which

constitute the new eigenmatrix P.

4

）

Calculate the projection of the original matrix

C onto the eigenvector and the matrix Y is the data

after dimension reduction.

5

）

Use the Xgboost construct classifier for

training.

6

）

At the same time, we compare this algorithm

with traditional Xgboost in detail, which can verify

that this algorithm improves precision rate, recall

rate and other aspects. Table 2 compares in detail the

effects of PCA attribute reduction and Xgboost with

those of traditional Xgboost.

Table 2: Comparison of the effects of the two experimental

algorithms.

precision

rate

The

recall

rate

The F

value

The time

used

PCA -

b

ased

Xgboost

classifier

0.773 0.764 0.769 3.61 s

Xgboost

classifier

0.736 0.745 0.740 6.14 s

As can be seen from table 2, the precision rate of

this algorithm is 0.18% higher than that of traditional

Xgboost. The precision rate is based on the average

precision rate of normal, DOS, r2l, u2r and probe.

Table 3: Shows the precision rate of the two methods in

five categories in the data set.

normal DOS r2l u2r The

probe

PCA -

based

Xgboost

classifier

0.976 0.812 0.030 0.025 0.662

Xgboost

classifier

0.970 0.773 0.052 0.065 0.611

At the same time, the obfuscation matrix is

generated to represent the precision of the two

algorithms. Table 4 and 5 respectively show the

confusion matrix generated by the two algorithms

under the five kinds of data sets.

Table 4: The obfuscation matrix generated by traditional

Xgboost.

a b c d e

a 9420 85 0 0 206

b 1601 5766

0 0 91

c 2577 0 142 0 35

d 182 0 2 13 3

e 776 165 0 0 1480

Table 5: Confusion matrix generated by Xgboost based on

PCA attribute reduction.

a b c d e

a 9474 53 2 2 180

b 1367 6059 0 0 32

c 2667 0 82 2 3

d 128 0 7 5 60

e 566 238 14 0 1603

Table 4 represents the confusion matrix generated

by traditional Xgboost, table 5 is the confusion

matrix generated by Xgboost bsed on PCA attribute

reduction. A stands for normal class data, b for DOS

class data, c for r2l class data, d for u2r class data, e

for probe class data.

ij

x

is the number of data

elements in the row I category that are predicted to

Condition Elements Extraction based on PCA Attribute Reduction and Xgboost

247

be in the column j category. Thus, the main diagonal

elements represent the number of data in a class that

was correctly predicted for right class. If we use the

elements on the main diagonal as the numerator and

the sum of each row as the denominator, we can get

the correct rate of this category of data.

Through the above experiments, we can see that

compared with the Xgboost classifier, the Xgboost

based on PCA attribute reduction has a better effect.

In the experiment, data are imported such as Naive

Bayes ,SVM (Support Vector Machine, the Support

Vector Machine),Random Forests, Xgboost and the

Xgboost model based on PCA attribute reduction for

comparison, comparing their precision rate, recall

rate and

precision rate are observed. Table 6 shows

the comparison of P(

precision rate

),R(

The recall rate

)

and F(

The F value

) with traditional classification

algorithms.

Table 6: Comparison with traditional classification

algorithms.

Category Naive

Bayes

The

SVM

Random

Forests

Xgboost based on

PCA and

Xgboost

P 0.725 0.741 0.737 0.736 0.773

R 0.714 0.735 0.731 0.745 0.764

F 0.719 0.738 0.734 0.740 0.769

It can be seen from the experiments that the effect

of PCA attribute reduction and Xgboost is obviously

better than other classification algorithm. The

precision rate has been improved in several different

categories of data. Thus, compared with the

algorithms such as Naive Bayes, SVM, Random

Forests and Xgboost classification

，

this algorithm

has better classification results and higher precision

rate. Comparing with Naive Bayesian algorithm the

precision rate of this algorithm increased by 5%, the

recall rate increased by 5%. It can be seen that this

algorithm effectively improves the precision rate of

situation elements extraction and the work of

network situation elements extraction.

5

CONCLUSION

Firstly, this paper expounds the research work of

situation elements extraction and summarizes the

current algorithms of situation elements extraction.

According to the characteristics of situation elements

extraction, this paper proposes a situation elements

extraction algorithm based on PCA attribute

reduction and Xgboost. Through experimental

analysis, this algorithm is compared with Naive

Bayes, SVM, Random Forest, Xgboost and other

classification algorithms, which improves the

precision rate and achieves efficient extraction of

network situation elements.

REFERENCES

Qi Ben, Wang Mengdi. Extraction of bayesian situation

elements based on information gain [J]. Information

network security,2017(09):54-57.

BASS, T. Multisensor data fusion for next generation

distributed intrusion detection systems [EB /OL].

[2016-03-10].

Li Fangwei, Wang Sen, Zhu Jiang, Zhang Haibo. Secur ity

situation factor acquisition based on enhance

probabilistic neural network [J]. Telecommunicati ons

technology,2017,57(01):64-71.

Li Dongyin. The research on situation element extraction

of network security based on logistic regression [D].

University, 2014.

Liu Xiaowu, Wang Huiqiang, Lu Hongwu, Yu Jiguo, Shu

wen. Network security situation cognition fusion

sensing control model [J]. Journal of software,

2016,27(08):2099-2114.

Si cheng, Zhang Hongqi, Wang Yongwei, Yang Yingjie.

Ontology-based knowledge base model of network

security situation factors[J]. Computer science,

2015,42(05):173-177.

Zhao Dongmei, Li Hong. Network security situation factor

extraction algorithm based on parallel reduction [J].

Computer application, 2017,37 (04) : 1008-1013.

Zhu Jiang, Mingyue, Wang Sen. Security situation factor

acquisition mechanism based on deep self-coding

network [J]. Computer application, 2017,37 (03) : 771-

776.

Wang sen. Research on acquisition and prediction

technology of network security situation factors [D].

Chongqing: chongqing university of posts and

telecommunications, 2017.

Chen y. research on network security situation awareness

technology [J]. Jiangsu science and technology

information,2019,36(03):38-41.

Guo Jian. Research on situation element acquisition

technology in network security situation awareness

[D]. Liaoning: northeast university,2011.

Li Hong. Research on the extraction of network security

situation factors based on rough set [D]. Hebei: hebei

normal university, 2017.

IoTBDS 2020 - 5th International Conference on Internet of Things, Big Data and Security

248