基于人工免疫的入侵检测模型研究
|
摘要
随着计算机技术和网络技术的迅猛发展,我们在享受计算机和网络给我们的生活带来巨大便利的同时,却不得不面对日益严重的计算机安全问题。传统的计算机安全技术和产品虽然在一定程度上保障了信息系统的安全性,但由于自身的缺陷和被动性,无法主动地检测攻击入侵事件。因此一种能实现主动防御的新型网络安全技术——入侵检测技术作为确保计算机网络信息安全的一个重要手段正成为信息安全领域的研究热点之一。
由于生物免疫系统成功保护机体免受各种侵害的机理与入侵检测系统在大量的正常数据中识别异常有天然的相似之处,因此基于免疫机理的入侵检测系统研究近年来逐渐成为入侵检测领域研究的前沿课题。它突出的特点是利用基于生物免疫机理的模型和算法来实现对入侵检测系统的优化从而克服传统入侵检测系统的一些缺陷。
本文首先对入侵检测技术进行了较为详细的介绍,指出了当前入侵检测系统的特点及其缺陷,进而在系统分析了前人研究的基础之上提出了一种基于人工免疫的动态入侵检测模型,解决了当前传统基于人工免疫的入侵检测系统中存在的一些问题。
本文提出的基于人工免疫的动态入侵检测模型,通过特征提取模块对网络的特征进行提取从而形成对初始“自体”集的刻画,然后通过“自体”集的不断更新机制完成“自体”集的动态更新;从而克服了传统基于免疫原理的入侵检测模型中使用静态“自体”集的缺陷,为适应网络环境的变化提供了可能。
该模型通过使用异常特征的二次刺激对成熟检测器进行优化,并给出了所使用的算法,这样就能在保证对“非自体”集有效覆盖的情况下减少检测器的数量,克服了传统模型中检测器数量太大所造成的检测速度降低的问题。
本文对网络数据特征进行了比较详细的分析,使用简单的网络特征对自我集及攻击特征的刻画,避免了传统检测方法中盲目提取协议中与攻击并无多大关系的字段,甚至提取整个协议数据单元的做法,从而使入侵检测系统的检测速度得以提高
最后本文在实验中证明了模型的可行性。
With the development of the computer and network technology, we must face the more serious computer security problem when we use network for their advantage. Though the traditional technology and production of computer security can protect the information system in a way, they can not detect the attack event on their own initiative because of their limitation and passivity. Therefore, the intrusion detection technology which is a new kind of active security technology for network is becoming one of the focuses of the research in the information security field.
For the defense mechanisms of the human immune system is similar with the process of recognizing abnormal data from much normal data in intrusion detection system, the research about intrusion detection system which is based on the mechanism of human immunity gradually becomes the foreland subject in the field of intrusion detection. The most important character of the intrusion detection system is that it could overcome some drawbacks of the traditional intrusion detection system through the model and algorithm based on the biology immunity mechanism.
This paper has a detailed introduction of the intrusion detection technology firstly, and then it indicates the characters and drawbacks of the current intrusion detection system. Furthermore, analyzing systematically the former study, it puts forward a new kind of dynamic intrusion detection model based on the artificial immunity mechanism. And this model can settle down some problems in the current intrusion detection system.
This model picks up the character of the network via the feature extraction module, and then it forms the description of the initial "self set. It can dynamically update the "self" set through the continuously updating mechanism of the "self set. In this way, it could overcome some drawbacks of the static "self set in the traditional intrusion detection based on human immunity. So, it is possible to adapt to the change of network environment.
This model optimizes the mature detector by the second stimulation of the abnormal character, and then it designs the used algorithm. In this case, it can reduce the number of detectors under ensuring the "non-self set covered in effect, so it settles down the problem of the limited speed of the detectors due to a large number of detectors in the traditional model.
This paper analyzes comparatively the characters of the network data in detail. It describes the "self set and the attack characters through the simple network characters. In this way, it needs not to blindly extract the whole protocol data unit and the field in protocol which is little of relation with the attack by the traditional detection method. Finally it makes the speed of intrusion detection system faster.
At last, this paper proves the availability of the model in this experiment
由于生物免疫系统成功保护机体免受各种侵害的机理与入侵检测系统在大量的正常数据中识别异常有天然的相似之处,因此基于免疫机理的入侵检测系统研究近年来逐渐成为入侵检测领域研究的前沿课题。它突出的特点是利用基于生物免疫机理的模型和算法来实现对入侵检测系统的优化从而克服传统入侵检测系统的一些缺陷。
本文首先对入侵检测技术进行了较为详细的介绍,指出了当前入侵检测系统的特点及其缺陷,进而在系统分析了前人研究的基础之上提出了一种基于人工免疫的动态入侵检测模型,解决了当前传统基于人工免疫的入侵检测系统中存在的一些问题。
本文提出的基于人工免疫的动态入侵检测模型,通过特征提取模块对网络的特征进行提取从而形成对初始“自体”集的刻画,然后通过“自体”集的不断更新机制完成“自体”集的动态更新;从而克服了传统基于免疫原理的入侵检测模型中使用静态“自体”集的缺陷,为适应网络环境的变化提供了可能。
该模型通过使用异常特征的二次刺激对成熟检测器进行优化,并给出了所使用的算法,这样就能在保证对“非自体”集有效覆盖的情况下减少检测器的数量,克服了传统模型中检测器数量太大所造成的检测速度降低的问题。
本文对网络数据特征进行了比较详细的分析,使用简单的网络特征对自我集及攻击特征的刻画,避免了传统检测方法中盲目提取协议中与攻击并无多大关系的字段,甚至提取整个协议数据单元的做法,从而使入侵检测系统的检测速度得以提高
最后本文在实验中证明了模型的可行性。
With the development of the computer and network technology, we must face the more serious computer security problem when we use network for their advantage. Though the traditional technology and production of computer security can protect the information system in a way, they can not detect the attack event on their own initiative because of their limitation and passivity. Therefore, the intrusion detection technology which is a new kind of active security technology for network is becoming one of the focuses of the research in the information security field.
For the defense mechanisms of the human immune system is similar with the process of recognizing abnormal data from much normal data in intrusion detection system, the research about intrusion detection system which is based on the mechanism of human immunity gradually becomes the foreland subject in the field of intrusion detection. The most important character of the intrusion detection system is that it could overcome some drawbacks of the traditional intrusion detection system through the model and algorithm based on the biology immunity mechanism.
This paper has a detailed introduction of the intrusion detection technology firstly, and then it indicates the characters and drawbacks of the current intrusion detection system. Furthermore, analyzing systematically the former study, it puts forward a new kind of dynamic intrusion detection model based on the artificial immunity mechanism. And this model can settle down some problems in the current intrusion detection system.
This model picks up the character of the network via the feature extraction module, and then it forms the description of the initial "self set. It can dynamically update the "self" set through the continuously updating mechanism of the "self set. In this way, it could overcome some drawbacks of the static "self set in the traditional intrusion detection based on human immunity. So, it is possible to adapt to the change of network environment.
This model optimizes the mature detector by the second stimulation of the abnormal character, and then it designs the used algorithm. In this case, it can reduce the number of detectors under ensuring the "non-self set covered in effect, so it settles down the problem of the limited speed of the detectors due to a large number of detectors in the traditional model.
This paper analyzes comparatively the characters of the network data in detail. It describes the "self set and the attack characters through the simple network characters. In this way, it needs not to blindly extract the whole protocol data unit and the field in protocol which is little of relation with the attack by the traditional detection method. Finally it makes the speed of intrusion detection system faster.
At last, this paper proves the availability of the model in this experiment
引文
[1] http://www.cnnic.com.cn
[2] http://www.cert.org.cn/
[3] 林晓东.网络安全关键技术研究[D].北京:北京邮电大学.1998:5.
[4] 胡道元,闽京华.网络安全[M].北京:清华大学出版社,2004
[5] 唐正军,李建华.入侵检测技术[M],北京:清华大学出版社,2004
[6] Anderson J P. Computer Security Threat Monitoring and Surveillance[R]. Jmames P Anderson Company, 1980, 4.
[7] Dorothy E Denning. An Intrusion Detection Model[J]. IEEE Transactions on Software Engineering, 1987, 13 (2): 222-232.
[8] Snapp. S. R. J. Brentano, G. V. Dias, T. L. Goan et al. DIDS(distributed Intrusion Detection System)-motivation, architecture, and an early prototype[C]. Proceedings of the 14th National Computer Security conference, 1991, 10: 167-176.
[9] Jake Ryan, Meng-Jang Lin, Intrusion Detection with Neural Networks, in Advances Neural Information processing Systems [R], Cambridge, MA: MIT press, 1998
[10] Terran Lane, Machine Learning Techniques for the Domain of Anomaly Detection for Computer Security[R], Ph. D. Dissertation, Department of EE, Purdue University, 1998
[11] Smaha, S. E. Haystack: an intrusion detection system. In: Orlando ed. Proceedings of the 4th Aero space Computer Security Applications Conference. Washington. DC: IEEE Computer Society Press, 1988. 37~44.
[12] Fillip Schepers. Network-versus host-based intrusion detection[J]. Information Security Technical Report, 1998, 3 (4): 32-42.
[13] 唐正军等.网络入侵检测系统的设计与实现[M].电子工业出版社.北京,2002,4:96-103.
[14] 蒋建春,马恒太,任党恩,卿斯汉.网络安全入侵检测研究综述[J].软件学报,2001.11 (11) 1460-1466
[15] Heady R, Luger G, Maccabe, A. et al. The architecture of a network level intrusion detection system[R]. Department of Computer Science, University of New Mexico, 1990.
[16] Kumar S. Classification and detection of Computer intrusions[D]. PhD thesis, Department of Computer Science, Purdue University, 1995.
[17] He Hua-can. Introduction to Artificial Intelligence[M]. Xi'an: Northwestern University of Technology Press, 1988 (in Chinese).
[18] Carla, T. L., Brodley, E. Temporal sequence learning and data reduction for anomaly detection[A]. In: Reiter, Med. Proceedings of the 5th Conference on Computer and Communications Security. New York: ACM Press, 1998. 150~158.
[19] Carla, T. L., Broaley, E. Detecting the abnormal: machine learning in computer security[R]. Purdue University, West Lafayette, 1997.
[20] 莫宏伟.人工免疫系统原理与应用[M].哈尔滨:哈尔滨工业大学出版社,2002.
[21] 赵俊忠、黄厚宽、田盛丰.免疫机制在计算机网络入侵检测中的应用研究[J].计算机研究与发展 2003.9:1293-1299
[22] S Forrest, A Perelson, L Alleu, et al. Self-nonself discrimination in computer[A]. 1994 IEEE Symposium on Research in Security and Privacy, Oakland, 1994, 5: 202-212.
[23] P D' haeseleer, S Forrest. An Immunological Approach to Change Detection: Algorithm, Analysis and Implication[A]. In Proc. of IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1996
[24] De Castro L. N. Von Zuben F. J. Learning and Optimization Using the Colonial Selection Principle[A]. IEEE Transactions on Evolutionary Computation, Special Issue on Artificial Immune System. 2001. 6 (3): 239-251.
[25] Paul K. Harmer, Paul D. Williams, Gregg H. Gunsch and Gary B. Lamont. An Artificial Immune System Architecture for Computer Security Applications[C]. IEEE Transaction on Evolutionary Computation JUNE 2002, 6 (3): 252-280
[26] Nasaroui, F. Gonzlez, C. Cardona, D. Dasgupta. A Scalable Artificial Immune System Model for Dynamic Unsupervised Learning[C]. Genetic and Evolutionary Computation Conference (GECCO), Chicago USA. 2003. 7: 219-230
[27] D. Dasgupta, Immune-based intrusion detection system: general framework[R]. Proceedings of the 22nd national information systems security conference (NISSC), Virginia, USA. 1999
[28] Dasgupta D. An immune agent architecture for intrusion detection[C]. Las Vegas, Nevada, USA, GECCO 2000,
[29] Kim J, Bentley P. Negative selection and inching by an artificial immune system for network intrusion detection[C]. GECCO'99, Orlando, Florida, 1999
[30] J. Timmis and P. J. Bentley, ″Negative selection: how to generate detectors, ″in Proc. 1 st International on Artificial Immune Systems, University of Kent at Canterbury, Sep. 2002: 110-119
[31] http://www.icsa.com
[32] http://www.ll.mit.edu/ISY/ideval/data/data_index.html
[2] http://www.cert.org.cn/
[3] 林晓东.网络安全关键技术研究[D].北京:北京邮电大学.1998:5.
[4] 胡道元,闽京华.网络安全[M].北京:清华大学出版社,2004
[5] 唐正军,李建华.入侵检测技术[M],北京:清华大学出版社,2004
[6] Anderson J P. Computer Security Threat Monitoring and Surveillance[R]. Jmames P Anderson Company, 1980, 4.
[7] Dorothy E Denning. An Intrusion Detection Model[J]. IEEE Transactions on Software Engineering, 1987, 13 (2): 222-232.
[8] Snapp. S. R. J. Brentano, G. V. Dias, T. L. Goan et al. DIDS(distributed Intrusion Detection System)-motivation, architecture, and an early prototype[C]. Proceedings of the 14th National Computer Security conference, 1991, 10: 167-176.
[9] Jake Ryan, Meng-Jang Lin, Intrusion Detection with Neural Networks, in Advances Neural Information processing Systems [R], Cambridge, MA: MIT press, 1998
[10] Terran Lane, Machine Learning Techniques for the Domain of Anomaly Detection for Computer Security[R], Ph. D. Dissertation, Department of EE, Purdue University, 1998
[11] Smaha, S. E. Haystack: an intrusion detection system. In: Orlando ed. Proceedings of the 4th Aero space Computer Security Applications Conference. Washington. DC: IEEE Computer Society Press, 1988. 37~44.
[12] Fillip Schepers. Network-versus host-based intrusion detection[J]. Information Security Technical Report, 1998, 3 (4): 32-42.
[13] 唐正军等.网络入侵检测系统的设计与实现[M].电子工业出版社.北京,2002,4:96-103.
[14] 蒋建春,马恒太,任党恩,卿斯汉.网络安全入侵检测研究综述[J].软件学报,2001.11 (11) 1460-1466
[15] Heady R, Luger G, Maccabe, A. et al. The architecture of a network level intrusion detection system[R]. Department of Computer Science, University of New Mexico, 1990.
[16] Kumar S. Classification and detection of Computer intrusions[D]. PhD thesis, Department of Computer Science, Purdue University, 1995.
[17] He Hua-can. Introduction to Artificial Intelligence[M]. Xi'an: Northwestern University of Technology Press, 1988 (in Chinese).
[18] Carla, T. L., Brodley, E. Temporal sequence learning and data reduction for anomaly detection[A]. In: Reiter, Med. Proceedings of the 5th Conference on Computer and Communications Security. New York: ACM Press, 1998. 150~158.
[19] Carla, T. L., Broaley, E. Detecting the abnormal: machine learning in computer security[R]. Purdue University, West Lafayette, 1997.
[20] 莫宏伟.人工免疫系统原理与应用[M].哈尔滨:哈尔滨工业大学出版社,2002.
[21] 赵俊忠、黄厚宽、田盛丰.免疫机制在计算机网络入侵检测中的应用研究[J].计算机研究与发展 2003.9:1293-1299
[22] S Forrest, A Perelson, L Alleu, et al. Self-nonself discrimination in computer[A]. 1994 IEEE Symposium on Research in Security and Privacy, Oakland, 1994, 5: 202-212.
[23] P D' haeseleer, S Forrest. An Immunological Approach to Change Detection: Algorithm, Analysis and Implication[A]. In Proc. of IEEE Symposium on Research in Security and Privacy, Oakland, CA, 1996
[24] De Castro L. N. Von Zuben F. J. Learning and Optimization Using the Colonial Selection Principle[A]. IEEE Transactions on Evolutionary Computation, Special Issue on Artificial Immune System. 2001. 6 (3): 239-251.
[25] Paul K. Harmer, Paul D. Williams, Gregg H. Gunsch and Gary B. Lamont. An Artificial Immune System Architecture for Computer Security Applications[C]. IEEE Transaction on Evolutionary Computation JUNE 2002, 6 (3): 252-280
[26] Nasaroui, F. Gonzlez, C. Cardona, D. Dasgupta. A Scalable Artificial Immune System Model for Dynamic Unsupervised Learning[C]. Genetic and Evolutionary Computation Conference (GECCO), Chicago USA. 2003. 7: 219-230
[27] D. Dasgupta, Immune-based intrusion detection system: general framework[R]. Proceedings of the 22nd national information systems security conference (NISSC), Virginia, USA. 1999
[28] Dasgupta D. An immune agent architecture for intrusion detection[C]. Las Vegas, Nevada, USA, GECCO 2000,
[29] Kim J, Bentley P. Negative selection and inching by an artificial immune system for network intrusion detection[C]. GECCO'99, Orlando, Florida, 1999
[30] J. Timmis and P. J. Bentley, ″Negative selection: how to generate detectors, ″in Proc. 1 st International on Artificial Immune Systems, University of Kent at Canterbury, Sep. 2002: 110-119
[31] http://www.icsa.com
[32] http://www.ll.mit.edu/ISY/ideval/data/data_index.html