我在使用Weka进行SVM分类时得到了以下输出。我想将SVM分类器的输出绘制成异常或正常。如何从这个输出中提取SVM评分函数?
=== 运行信息 ===
Scheme: weka.classifiers.functions.SMO -C 1.0 -L 0.001 -P 1.0E-12 -N 0 -V -1 -W 1 -K "weka.classifiers.functions.supportVector.PolyKernel -E 1.0 -C 250007"Relation: KDDTrainInstances: 125973Attributes: 42 duration protocol_type service flag src_bytes dst_bytes land wrong_fragment urgent hot num_failed_logins logged_in num_compromised root_shell su_attempted num_root num_file_creations num_shells num_access_files num_outbound_cmds is_host_login is_guest_login count srv_count serror_rate srv_serror_rate rerror_rate srv_rerror_rate same_srv_rate diff_srv_rate srv_diff_host_rate dst_host_count dst_host_srv_count dst_host_same_srv_rate dst_host_diff_srv_rate dst_host_same_src_port_rate dst_host_srv_diff_host_rate dst_host_serror_rate dst_host_srv_serror_rate dst_host_rerror_rate dst_host_srv_rerror_rate classTest mode: 10-fold cross-validation=== 分类器模型(完整训练集) ===
SMOKernel used: Linear Kernel: K(x,y) = <x,y>Classifier for classes: normal, anomalyBinarySMOMachine linear: showing attribute weights, not support vectors. -0.0498 * (normalized) duration + 0.5131 * (normalized) protocol_type=tcp + -0.6236 * (normalized) protocol_type=udp + 0.1105 * (normalized) protocol_type=icmp + -1.1861 * (normalized) service=auth + 0 * (normalized) service=bgp + 0 * (normalized) service=courier + 1 * (normalized) service=csnet_ns + 1 * (normalized) service=ctf + 1 * (normalized) service=daytime + -0 * (normalized) service=discard + -1.2505 * (normalized) service=domain + -0.6878 * (normalized) service=domain_u + 0.9418 * (normalized) service=echo + 1.1964 * (normalized) service=eco_i + 0.9767 * (normalized) service=ecr_i + 0.0073 * (normalized) service=efs + 0.0595 * (normalized) service=exec + -1.4426 * (normalized) service=finger + -1.047 * (normalized) service=ftp + -1.4225 * (normalized) service=ftp_data + 2 * (normalized) service=gopher + 1 * (normalized) service=hostnames + -0.9961 * (normalized) service=http + 0.7255 * (normalized) service=http_443 + 0.5128 * (normalized) service=imap4 + -6.3664 * (normalized) service=IRC + 1 * (normalized) service=iso_tsap + -0 * (normalized) service=klogin + 0 * (normalized) service=kshell + 0.7422 * (normalized) service=ldap + 1 * (normalized) service=link + 0.5993 * (normalized) service=login + 1 * (normalized) service=mtp + 1 * (normalized) service=name + 0.2322 * (normalized) service=netbios_dgm + 0.213 * (normalized) service=netbios_ns + 0.1902 * (normalized) service=netbios_ssn + 1.1472 * (normalized) service=netstat + 0.0504 * (normalized) service=nnsp + 1.058 * (normalized) service=nntp + -1 * (normalized) service=ntp_u + -1.5344 * (normalized) service=other + 1.3595 * (normalized) service=pm_dump + 0.8355 * (normalized) service=pop_2 + -2 * (normalized) service=pop_3 + 0 * (normalized) service=printer + 1.051 * (normalized) service=private + -0.3082 * (normalized) service=red_i + 1.0034 * (normalized) service=remote_job + 1.0112 * (normalized) service=rje + -1.0454 * (normalized) service=shell + -1.6948 * (normalized) service=smtp + 0.1388 * (normalized) service=sql_net + -0.3438 * (normalized) service=ssh + 1 * (normalized) service=supdup + 0.8756 * (normalized) service=systat + -1.6856 * (normalized) service=telnet + -0 * (normalized) service=tim_i + -0.8579 * (normalized) service=time + -0.726 * (normalized) service=urh_i + -1.0285 * (normalized) service=urp_i + 1.0347 * (normalized) service=uucp + 0 * (normalized) service=uucp_path + 0 * (normalized) service=vmnet + 1 * (normalized) service=whois + -1.3388 * (normalized) service=X11 + 0 * (normalized) service=Z39_50 + 1.7882 * (normalized) flag=OTH + -3.0982 * (normalized) flag=REJ + -1.7279 * (normalized) flag=RSTO + 1 * (normalized) flag=RSTOS0 + 2.4264 * (normalized) flag=RSTR + 1.5906 * (normalized) flag=S0 + -1.952 * (normalized) flag=S1 + -0.9628 * (normalized) flag=S2 + -0.3455 * (normalized) flag=S3 + 1.2757 * (normalized) flag=SF + 0.0054 * (normalized) flag=SH + 0.8742 * (normalized) src_bytes + 0.0542 * (normalized) dst_bytes + -1.2659 * (normalized) land=1 + 2.7922 * (normalized) wrong_fragment + 0.0662 * (normalized) urgent + 8.1153 * (normalized) hot + 2.4822 * (normalized) num_failed_logins + 0.2242 * (normalized) logged_in=1 + -0.0544 * (normalized) num_compromised + 0.9248 * (normalized) root_shell + -2.363 * (normalized) su_attempted + -0.2024 * (normalized) num_root + -1.2791 * (normalized) num_file_creations + -0.0314 * (normalized) num_shells + -1.4125 * (normalized) num_access_files + -0.0154 * (normalized) is_host_login=1 + -2.3307 * (normalized) is_guest_login=1 + 4.3191 * (normalized) count + -2.7484 * (normalized) srv_count + -0.6276 * (normalized) serror_rate + 2.843 * (normalized) srv_serror_rate + 0.6105 * (normalized) rerror_rate + 3.1388 * (normalized) srv_rerror_rate + -0.1262 * (normalized) same_srv_rate + -0.1825 * (normalized) diff_srv_rate + 0.2961 * (normalized) srv_diff_host_rate + 0.7812 * (normalized) dst_host_count + -1.0053 * (normalized) dst_host_srv_count + 0.0284 * (normalized) dst_host_same_srv_rate + 0.4419 * (normalized) dst_host_diff_srv_rate + 1.384 * (normalized) dst_host_same_src_port_rate + 0.8004 * (normalized) dst_host_srv_diff_host_rate + 0.2301 * (normalized) dst_host_serror_rate + 0.6401 * (normalized) dst_host_srv_serror_rate + 0.6422 * (normalized) dst_host_rerror_rate + 0.3692 * (normalized) dst_host_srv_rerror_rate - 2.5266Number of kernel evaluations: -1049600465输出预测 – 样本输出
inst# actual predicted error prediction 1 1:正常 1:正常 1 2 1:正常 1:正常 1 3 2:异常 2:异常 1 4 1:正常 1:正常 1 5 1:正常 1:正常 1 6 2:异常 2:异常 1 7 2:异常 2:异常 1 8 2:异常 2:异常 1 9 2:异常 2:异常 1 10 2:异常 2:异常 1 11 2:异常 2:异常 1 12 2:异常 2:异常 1 13 1:正常 1:正常 1 14 2:异常 1:正常 + 1 15 2:异常 2:异常 1 16 2:异常 2:异常 1 17 1:正常 1:正常 1 18 2:异常 2:异常 1 19 1:正常 1:正常 1 20 1:正常 1:正常 1 21 2:异常 2:异常 1 22 2:异常 2:异常 1 23 1:正常 1:正常 1 24 1:正常 1:正常 1 25 2:异常 2:异常 1 26 1:正常 1:正常 1 27 2:异常 2:异常 1 28 1:正常 1:正常 1 29 1:正常 1:正常 1 30 1:正常 1:正常 1 31 2:异常 2:异常 1 32 2:异常 2:异常 1 33 1:正常 1:正常 1 34 2:异常 2:异常 1 35 1:正常 1:正常 1 36 1:正常 1:正常 1 37 1:正常 1:正常 1 38 2:异常 2:异常 1 39 1:正常 1:正常 1 40 2:异常 2:异常 1 41 2:异常 2:异常 1 42 2:异常 2:异常 1 43 1:正常 1:正常 1 44 1:正常 1:正常 1 45 1:正常 1:正常 1 46 2:异常 2:异常 1 47 2:异常 2:异常 1 48 1:正常 1:正常 1 49 2:异常 1:正常 + 1 50 2:异常 2:异常 1=== 按类别详细准确度 ===
TP率 FP率 精确度 召回率 F度量 MCC ROC面积 PRC面积 类别 0.986 0.039 0.967 0.986 0.976 0.948 0.973 0.960 正常 0.961 0.014 0.983 0.961 0.972 0.948 0.973 0.963 异常加权平均 0.974 0.028 0.974 0.974 0.974 0.948 0.973 0.962=== 混淆矩阵 ===
a b <-- 分类为 66389 954 | a = 正常 2301 56329 | b = 异常回答:
这个输出就是评分函数。将等号视为一个简单的布尔运算符,真值为1,假值为0。因此,在所有分类属性选择中,只有其中一个系数会影响评分值。
例如,我们只考虑前三个属性,并使用这些归一化输入及其结果值:
duration 2.0 -0.0498 * 2.0 => -0.0996protocol_type icmp 0.1105service eco_i 1.1964请注意,其他protocol_type和service项(例如
-0.6236 * protocol_type=udp
)的比较结果为0(protocol_type=udp变为0),所以这些系数不会影响总和。
从这三个属性来看,目前的得分是这三个项的总和,即1.2073。继续处理其余39个属性,再加上最后的常数-2.5266,这就是你的向量的得分。
这样解释清楚了吗?
您引用的博客中的关键句子是:
如果评分函数的输出为负,则输入被分类为属于类别y = -1。如果得分为正,则输入被分类为属于类别y = 1。
是的,就是这么简单:实现这个漂亮的线性评分函数(42个变量,116个项)。输入一个向量。如果函数结果为正,则该向量为正常;如果为负,则该向量为异常。
是的,您的模型比博客中的例子长得多。那个例子基于两个连续特征;您有42个特征,其中三个是分类特征(因此多出了73个项)。例子中有3个支持向量;您的将有43个(N维需要N+1个支持向量)。然而,即使是这个42维模型也遵循相同的原则:正数=正常,负数=异常。
至于您希望映射到二维显示…这是可能的…但我不知道您会在这个实例中找到什么有意义的东西。将42个变量映射到3个会导致空间中的大量拥堵。我见过一些不错的技巧,尤其是在梯度场中,力向量与数据点的空间解释相同。天气图设法表示测量的x,y,z坐标,加上风速(3D)、云量,可能还有其他几个指标加入显示。这可能是10个符号维度。
在您的案例中,我们或许可以将系数小于0.07的维度视为不重要而删除;这可以节省6个特征。三个分类特征我们可以用颜色、虚线/点线/实线符号和在O或X上的微小文本覆盖(正常/异常数据)来表示。这减少了9个特征,而不使用笛卡尔位置(x,y,z坐标,假设在3D中绘图是有意义的)。
然而,我对您的数据了解得不够深入,无法建议如何将剩余的33个特征压缩到2或3个维度中。您能否以某种方式组合这些输入?多个特征的线性组合是否能给出在预测中仍然有意义的结果?
如果不能,那么我们就只能采用经典方法:选择有趣的特征组合(通常是成对的)。为每个绘制一个图,完全忽略其他特征。如果这些图都没有视觉上的意义…这就是我们的答案:我们无法很好地绘制数据。对不起,但现实常常在复杂的环境中这样对待我们,我们用表格、相关性和其他我们能处理的方法来处理数据,这些方法适合我们3D的思维方式。
