入侵检测系统分类算法的研究
|
摘要
随着计算机网络应用的普及和网上商务活动的日益频繁,计算机系统的安全问题越来越突出。入侵检测系统(Intrusion Detection System,IDS)是信息安全体系结构的重要一环。计算机安全问题的日益突出,对入侵检测系统提出了更高的要求。然而,传统的入侵检测系统在有效性、适应性和可扩展性方面都存在不足。针对这些不足,本文将从数据处理的角度,用数据挖掘的方法根据海量审计数据建立描述入侵行为的模型。通过归纳学习得到分类规则,并以此作为描述入侵行为的工具。
本文首先对入侵检测技术的背景进行了简要的说明和归类。然后论述了数据挖掘知识及数据挖掘在入侵检测中的应用。将主要研究方向定在入侵检测分类模型的构建上,使用数据挖掘技术开发一套自动化、系统化的构建入侵检测模型的方法。重点论述的是在入侵检测领域广泛应用的分类算法——决策树分类算法。给出了加快计算速度的方法,并提出了用多子集分层的决策树算法来建立分类模型,该算法主要是结合分层和决策的思想构建的。同时还研究特征属性的选取对分类效果的影响。
在 KDD99 提供的实验数据上,经过预处理、特征属性选取,使用本文提出的多子集分层的决策树算法建立分类模型,得到各类入侵行为的决策树和分类规则。证明了该分类模型具有较好的分类效果。
With the popularization of the applications of network-based computersystems and the increasing frequency of e-commerce, security issues become moreand more outstanding. Intrusion detection system (IDS) plays important rolesin the information security architecture. The computer criminal is more and morepressing and dangerous nowadays, which poses urgent demands on the performanceof IDS. However, current intrusion detection systems lack effectiveness,adaptability and extensibility. Aimed at these shortcomings, this thesis takesa data-centric view to IDS and describes a framework for constructing intrusiondetection model by mining audit data. Classification rules are inductivelylearned from audit records and used as intrusion detection models.
This thesis first provided the background on IDS. We then provided the datamining knowledge and the applications in Intrusion Detection. We focused on theconstruction of classification models. The goal of this thesis research istherefore to develop a framework that facilitates automatic and systematicconstruction of IDS. This thesis researched on an algorithm that the field usesextensively in Intrusion Detection System is decision tree classificationalgorithm. The thesis also provided the method to accelerate computationalspeed, and has proposed setting up classification model with the decision treealgorithm that many subsets hierarchy. This algorithm mainly combines thethought of hierarchy and decision to structure. Also it is the most importantissue to construct a set of proper features for the classification models.
At last, we described in the process of building many subsets hierarchy
classification models from data provided by KDD99, get the decision trees andclassification rules of all kinds of intrusion behaviors. Have proved that thisclassification model has better classification results.
本文首先对入侵检测技术的背景进行了简要的说明和归类。然后论述了数据挖掘知识及数据挖掘在入侵检测中的应用。将主要研究方向定在入侵检测分类模型的构建上,使用数据挖掘技术开发一套自动化、系统化的构建入侵检测模型的方法。重点论述的是在入侵检测领域广泛应用的分类算法——决策树分类算法。给出了加快计算速度的方法,并提出了用多子集分层的决策树算法来建立分类模型,该算法主要是结合分层和决策的思想构建的。同时还研究特征属性的选取对分类效果的影响。
在 KDD99 提供的实验数据上,经过预处理、特征属性选取,使用本文提出的多子集分层的决策树算法建立分类模型,得到各类入侵行为的决策树和分类规则。证明了该分类模型具有较好的分类效果。
With the popularization of the applications of network-based computersystems and the increasing frequency of e-commerce, security issues become moreand more outstanding. Intrusion detection system (IDS) plays important rolesin the information security architecture. The computer criminal is more and morepressing and dangerous nowadays, which poses urgent demands on the performanceof IDS. However, current intrusion detection systems lack effectiveness,adaptability and extensibility. Aimed at these shortcomings, this thesis takesa data-centric view to IDS and describes a framework for constructing intrusiondetection model by mining audit data. Classification rules are inductivelylearned from audit records and used as intrusion detection models.
This thesis first provided the background on IDS. We then provided the datamining knowledge and the applications in Intrusion Detection. We focused on theconstruction of classification models. The goal of this thesis research istherefore to develop a framework that facilitates automatic and systematicconstruction of IDS. This thesis researched on an algorithm that the field usesextensively in Intrusion Detection System is decision tree classificationalgorithm. The thesis also provided the method to accelerate computationalspeed, and has proposed setting up classification model with the decision treealgorithm that many subsets hierarchy. This algorithm mainly combines thethought of hierarchy and decision to structure. Also it is the most importantissue to construct a set of proper features for the classification models.
At last, we described in the process of building many subsets hierarchy
classification models from data provided by KDD99, get the decision trees andclassification rules of all kinds of intrusion behaviors. Have proved that thisclassification model has better classification results.
引文
[1] 杨义先,钮心忻.网络安全理论与技术.北京:人民邮电出版社,2003 年:81-88.
[2] E.Spafford , Crisis and aftermath Communications of the ACM. 1989, 32. 6:678-687.
[3] S.E. Smaha. Haystack : An intrusion detection system. In:Orlando ed. Proceedings of the 4th Aerospace Computer Security Applications Conference. Washington. DC:IEEE Computer Society Press, 1988.
[4] http://www.cs.purdue.edu/homes/sundaram/papers/intrus.html.
[5] 张雪芹,顾春华,林家骏.入侵检测技术的挑战和发展[J].计算机工程与设计,2004,25.7:1096-1099.
[6] http://www.ecfounder.com.
[7] http://www.neusoft.com.
[8] http://www.netpower.com.cn.
[9] http://www.nsfocus.com.
[10] V. Paxson. Bro: A system for detecting network intruders in realtime. Comput.Networks,1999,31.23:2435~2463.
[11] Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com. 1997.
[12]http://www.usenix.org/publications/library/proceedings/sec98/full-papers/lee/lee-html/lee.html.
[13] Hu, Kan, Xia, Shao-wei. Large data warehouse-based data mining: a survey Journal of Software, 1998,9 (1): 53-63 (in Chinese).
[14]. J.P. Anderson. Computer security thread monitoring and surveillance. Technical Report, James P Anderson Co, Fort Washington, Pennsylvania, 1980.
[15] Dorothy E. Denning, An Intrusion Detection Model, IEEE transactions on software engineering, 1987,13.2:222-232.
[16] C.Kahn, Phillip A.Porras, S.Staniford-Chen, B.Tung. The Common Intrusion Detection Framework Architecture. July 15, 1998.
[17] 齐建东.基于数据挖掘的入侵检测方法及系统研究[博士论文].中国农业大学,2003 年.
[18] Sandeep Kumar, Eugene H.Spafford. A Pattern Matching Model for Misuse Intrusion Detection. The COAST Project Dep. Of Computer Sciences Purdue University,1994,11-21.
[19] 宋劲松.网络入侵检测:分析、发现和报告攻击.北京:国防工业出版社,2004 年:4-5.
[20] 李鸿培.入侵检测中几个关键问题的研究(博士论文).西安电子科技大学,2001年.
[21] 范明,孟小峰等译.数据挖掘概念与技术.北京:机械工业出版社,2001 年:4-6.
[22] R.Agrawal, T.Imielinski, and A. Swami. Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD Conference on Management of Data,1993、4:207-213.
[23] Alderferer, M.S. and Blashfield, R.K.(1986). Cluster Analysis. Beverly Hills, CA, Sage Publications, Inc.
[24] R. Agrawal, R.Srikant, Mining Sequential Pattern. In Proc, 1995 Int. Conf. Data Engineering, Taipei, Taiwan, 1995、3:3-14.
[25] J. R. Quinlan. C4.5: Programs for Machine Learning [M]. American:Morgan Kaufman Publishers,1993.
[26] William W. Cohen. Fast effective rule induction. Machine Learning: Proc of the 12th International Conference, Lake Tahoe, California, 1995.
[27] 史瑞昌.基于多级贪婪的入侵检测分类算法研究[硕士论文].太原理工大学,2003.5.
[28] Pawlak Z. Rough Sets. International J of Computer and Information Sciences, 1982、11:341-356.
[29] J. R. Quinlan. Induction on decision trees. Machine Learning,1986,1. 1: 81-106.
[30] 宋世杰,胡华平,胡笑蕾,金士尧.数据挖掘技术在网络型误用入侵检测系统中的应用[J].计算机工程,2004,30.16:126-127.
[31] 史忠植.知识发现.北京:清华大学出版社,2002 年:183-193.
[32] 刘向荣,王熙照.一种实现分类问题中连续值得属性离散化的方法[J].计算机工程与应用,2002、23:108-110.
[33] 孙微微,刘才兴,田绪红.训练集容量对决策树分类错误率的影响研究[J].计算机工程与应用,2005、10:159-161.
[34] 陈建国.使用数据挖掘技术的入侵检测模型的构建[硕士论文].上海交通大学,2003.1.
[35] HTTP://KDD.ICS.UCI.EDU/DATABASE/KDDCUP99/KDDCUP99.HTML.
[36] W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Knowledge Discovery & Data Mining(KDD-99), 1999,8.
[37] 付成宏,傅明,肖如良,唐贤瑛.基于决策树的快速入侵检测方法[J].长沙电力学院学报(自然版),2004,19.1:29-31.
[38] 史长琼,易昂.基于多决策树算法的网络入侵检测[J].计算机工程与设计,2004,25.4:518-520.
[39] http://kdd.ics.uci.edu/databases/kddcup99/task.html.
[40] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002 年:117-127.
[2] E.Spafford , Crisis and aftermath Communications of the ACM. 1989, 32. 6:678-687.
[3] S.E. Smaha. Haystack : An intrusion detection system. In:Orlando ed. Proceedings of the 4th Aerospace Computer Security Applications Conference. Washington. DC:IEEE Computer Society Press, 1988.
[4] http://www.cs.purdue.edu/homes/sundaram/papers/intrus.html.
[5] 张雪芹,顾春华,林家骏.入侵检测技术的挑战和发展[J].计算机工程与设计,2004,25.7:1096-1099.
[6] http://www.ecfounder.com.
[7] http://www.neusoft.com.
[8] http://www.netpower.com.cn.
[9] http://www.nsfocus.com.
[10] V. Paxson. Bro: A system for detecting network intruders in realtime. Comput.Networks,1999,31.23:2435~2463.
[11] Network Flight Recorder Inc. Network flight recorder. http://www.nfr.com. 1997.
[12]http://www.usenix.org/publications/library/proceedings/sec98/full-papers/lee/lee-html/lee.html.
[13] Hu, Kan, Xia, Shao-wei. Large data warehouse-based data mining: a survey Journal of Software, 1998,9 (1): 53-63 (in Chinese).
[14]. J.P. Anderson. Computer security thread monitoring and surveillance. Technical Report, James P Anderson Co, Fort Washington, Pennsylvania, 1980.
[15] Dorothy E. Denning, An Intrusion Detection Model, IEEE transactions on software engineering, 1987,13.2:222-232.
[16] C.Kahn, Phillip A.Porras, S.Staniford-Chen, B.Tung. The Common Intrusion Detection Framework Architecture. July 15, 1998.
[17] 齐建东.基于数据挖掘的入侵检测方法及系统研究[博士论文].中国农业大学,2003 年.
[18] Sandeep Kumar, Eugene H.Spafford. A Pattern Matching Model for Misuse Intrusion Detection. The COAST Project Dep. Of Computer Sciences Purdue University,1994,11-21.
[19] 宋劲松.网络入侵检测:分析、发现和报告攻击.北京:国防工业出版社,2004 年:4-5.
[20] 李鸿培.入侵检测中几个关键问题的研究(博士论文).西安电子科技大学,2001年.
[21] 范明,孟小峰等译.数据挖掘概念与技术.北京:机械工业出版社,2001 年:4-6.
[22] R.Agrawal, T.Imielinski, and A. Swami. Mining association rules between sets of items in large databases. In Proceedings of the ACM SIGMOD Conference on Management of Data,1993、4:207-213.
[23] Alderferer, M.S. and Blashfield, R.K.(1986). Cluster Analysis. Beverly Hills, CA, Sage Publications, Inc.
[24] R. Agrawal, R.Srikant, Mining Sequential Pattern. In Proc, 1995 Int. Conf. Data Engineering, Taipei, Taiwan, 1995、3:3-14.
[25] J. R. Quinlan. C4.5: Programs for Machine Learning [M]. American:Morgan Kaufman Publishers,1993.
[26] William W. Cohen. Fast effective rule induction. Machine Learning: Proc of the 12th International Conference, Lake Tahoe, California, 1995.
[27] 史瑞昌.基于多级贪婪的入侵检测分类算法研究[硕士论文].太原理工大学,2003.5.
[28] Pawlak Z. Rough Sets. International J of Computer and Information Sciences, 1982、11:341-356.
[29] J. R. Quinlan. Induction on decision trees. Machine Learning,1986,1. 1: 81-106.
[30] 宋世杰,胡华平,胡笑蕾,金士尧.数据挖掘技术在网络型误用入侵检测系统中的应用[J].计算机工程,2004,30.16:126-127.
[31] 史忠植.知识发现.北京:清华大学出版社,2002 年:183-193.
[32] 刘向荣,王熙照.一种实现分类问题中连续值得属性离散化的方法[J].计算机工程与应用,2002、23:108-110.
[33] 孙微微,刘才兴,田绪红.训练集容量对决策树分类错误率的影响研究[J].计算机工程与应用,2005、10:159-161.
[34] 陈建国.使用数据挖掘技术的入侵检测模型的构建[硕士论文].上海交通大学,2003.1.
[35] HTTP://KDD.ICS.UCI.EDU/DATABASE/KDDCUP99/KDDCUP99.HTML.
[36] W. Lee, S. J. Stolfo, and K. W. Mok. Mining in a data-flow environment: Experience in network intrusion detection. In Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery & Knowledge Discovery & Data Mining(KDD-99), 1999,8.
[37] 付成宏,傅明,肖如良,唐贤瑛.基于决策树的快速入侵检测方法[J].长沙电力学院学报(自然版),2004,19.1:29-31.
[38] 史长琼,易昂.基于多决策树算法的网络入侵检测[J].计算机工程与设计,2004,25.4:518-520.
[39] http://kdd.ics.uci.edu/databases/kddcup99/task.html.
[40] 戴英侠,连一峰,王航.系统安全与入侵检测.北京:清华大学出版社,2002 年:117-127.