基于数据挖掘过程的入侵检测技术应用与研究
|
摘要
基于数据挖掘的入侵检测技术是网络安全研究中的热点领域,特别是在分布式入侵检测系统中,数据挖掘的应用尤其重要。论文着眼于入侵检测的数据挖掘过程,从入侵检测系统的建模入手,应用元数据理论、数据融合技术、决策支持技术和模糊技术进行研究。
数据挖掘过程是论文的主线,论文首先应用元数据描述来贯穿入侵检测的数据挖掘过程,将元数据应用到IDS数据融合、决策支持、消息交换的各个层面。其中,(1)元数据对入侵检测系统的数据对象进行规范化描述,如:描述网络数据协议树和数据包特征属性、描述入侵检测规则、描述入侵检测事件等;(2)在上述数据处理(融合)的基础上定义了入侵检测系统决策支持模型,并用元数据进行了描述;(3)考虑到IDS系统组件之间的通信,在相关国际组织标准化工作的指导下,应用元数据重新定义和描述入侵检测消息交换格式(IDMEF)。
基于上述内容,论文提出一个基于元数据描述的入侵检测外体模型——MDBIDS。在MDBIDS中,数据融合的作用与Tim Bass的入侵检测数据融合模型不同,论文采用的狭义数据融合过程更有利于入侵检测系统在态势评估与威胁估计上的衔接与实现。论文还应用一类特殊的决策矩阵——模糊互补判断矩阵对分布式入侵检测中存在的多专家(传感单元)决策情形进行了研究,给出了一种求解排序向量算法,并进行了实例验证。需要说明的是,此算法只是应对多专家(传感单元)决策情形的探讨,并不代表MDBIDS的决策支持模块中应用的算法。论文给出了MDBIDS关键模块的原型实现,具有工程应用价值。
论文对存在的一些不足以及需要进一步研究的方向作了说明。
Intrusion detection technology based on data mining is considered to be a hot domain of researches on network security. The applications of data mining play important roles especially in the distributed Intrusion detection systems. We focus on data mining process of intrusion detection, and set about the work from modeling of intrusion detection system, with application of metadata, data fusion technology, decision support technology and fuzzy technology for intrusion detection systems.
Data mining is the mainline of the paper, so we first use metadata description to run through the data mining process of intrusion detection, metadata can be applied to the data fusion, decision support, the exchange of information at all levels. (1) The data object in IDS can be defined by metadata; for example, it describes the network data protocols and packet attributes, intrusion detection rules, and intrusion detection incident; (2) Moreover, it defines a decision support model of Intrusion Detection System on the basis of above-mentioned data processing (integration), and use metadata to describe; (3) Taking into account of the communication between system components, it makes a redefinition and description of Intrusion Detection message exchange format (IDMEF) under the guidance of the standardization work of relevant international organizations.
Based on the above, this article provides a metadata model of intrusion detection—MDBIDS. In MDBIDS, unlike the role of Tim Bass Intrusion Detection Data Fusion model, the narrow data fusion is conducive to intrusion detection system assessment and threat assessment. The paper also uses a special kind of decision-making matrix - Fuzzy complementary judgment matrix for Distributed Intrusion Detection in Multi-experts (sensing unit) decision-making situations. A vector algorithm for sorting is provided and the example is verified. It should be pointed out that the algorithm is to Multi-experts (sensing unit) of decision-making situations and does not represent MDBIDS decision support modules. In chapter V we give prototype implementation for several key modules of MDBIDS, which is applicational for software engineering.
In the last part, some incomplete problems are put forward. And it also advances the future direction for research.
数据挖掘过程是论文的主线,论文首先应用元数据描述来贯穿入侵检测的数据挖掘过程,将元数据应用到IDS数据融合、决策支持、消息交换的各个层面。其中,(1)元数据对入侵检测系统的数据对象进行规范化描述,如:描述网络数据协议树和数据包特征属性、描述入侵检测规则、描述入侵检测事件等;(2)在上述数据处理(融合)的基础上定义了入侵检测系统决策支持模型,并用元数据进行了描述;(3)考虑到IDS系统组件之间的通信,在相关国际组织标准化工作的指导下,应用元数据重新定义和描述入侵检测消息交换格式(IDMEF)。
基于上述内容,论文提出一个基于元数据描述的入侵检测外体模型——MDBIDS。在MDBIDS中,数据融合的作用与Tim Bass的入侵检测数据融合模型不同,论文采用的狭义数据融合过程更有利于入侵检测系统在态势评估与威胁估计上的衔接与实现。论文还应用一类特殊的决策矩阵——模糊互补判断矩阵对分布式入侵检测中存在的多专家(传感单元)决策情形进行了研究,给出了一种求解排序向量算法,并进行了实例验证。需要说明的是,此算法只是应对多专家(传感单元)决策情形的探讨,并不代表MDBIDS的决策支持模块中应用的算法。论文给出了MDBIDS关键模块的原型实现,具有工程应用价值。
论文对存在的一些不足以及需要进一步研究的方向作了说明。
Intrusion detection technology based on data mining is considered to be a hot domain of researches on network security. The applications of data mining play important roles especially in the distributed Intrusion detection systems. We focus on data mining process of intrusion detection, and set about the work from modeling of intrusion detection system, with application of metadata, data fusion technology, decision support technology and fuzzy technology for intrusion detection systems.
Data mining is the mainline of the paper, so we first use metadata description to run through the data mining process of intrusion detection, metadata can be applied to the data fusion, decision support, the exchange of information at all levels. (1) The data object in IDS can be defined by metadata; for example, it describes the network data protocols and packet attributes, intrusion detection rules, and intrusion detection incident; (2) Moreover, it defines a decision support model of Intrusion Detection System on the basis of above-mentioned data processing (integration), and use metadata to describe; (3) Taking into account of the communication between system components, it makes a redefinition and description of Intrusion Detection message exchange format (IDMEF) under the guidance of the standardization work of relevant international organizations.
Based on the above, this article provides a metadata model of intrusion detection—MDBIDS. In MDBIDS, unlike the role of Tim Bass Intrusion Detection Data Fusion model, the narrow data fusion is conducive to intrusion detection system assessment and threat assessment. The paper also uses a special kind of decision-making matrix - Fuzzy complementary judgment matrix for Distributed Intrusion Detection in Multi-experts (sensing unit) decision-making situations. A vector algorithm for sorting is provided and the example is verified. It should be pointed out that the algorithm is to Multi-experts (sensing unit) of decision-making situations and does not represent MDBIDS decision support modules. In chapter V we give prototype implementation for several key modules of MDBIDS, which is applicational for software engineering.
In the last part, some incomplete problems are put forward. And it also advances the future direction for research.
引文
[1]Terry Escamilla 入侵者检测 北京:电子工业出版社 1999
[2]褚永刚,吕慧勤,杨义先等 大规模分布式入侵检测系统的体系结构模型 计算机应用研究 2004,21(12):105-132
[3]The Intrusion Detection Message Exchange Format(IDMEF),RFC 4765,Copyright(C)The IETF Trust(2007),March 2007
[4]The Intrusion Detection Exchange Protocol(IDXP),RFC 4766,Copyright(C)The IETF Trust(2007),March 2007
[5]The Incident Object Description Exchange Format(IODEF),Draft,Extended Incident Handling Working Group,July 31,2007
[6]J.Han,M.Kamber数据挖掘:概念与技术 北京:高等教育出版社 2001.5
[7]U.Fayyad,G Piatetsky-Shapiro,and Padhraic Smyth;Knowledge Discovery and Data Mining:Towards a Unifying Framework,In Proceedings of Second International Conferenceon Knowledge Discovery and Data Mining(KDD-96),AAAI Press,1996
[8]Jiawei Han,Micheline Kamber;Data Mining:Concepts and Techniques,Morgan Kaufmann,San Francisco,LA,2001
[9]沈琦 基于数据挖掘的IDS分析器研究[硕士学位论文]武汉:武汉理工大学2005
[10]向继东 基于数据挖掘的自适应入侵检测建模研究[博士学位论文]武汉:武汉大学2004
[11]叶鹰,金更达 基于元数据的信息组织和基于本体论的知识组织 大学图书馆学报 2004.4 43-47
[12]秦燕 元数据在知识管理各阶段的应用分析 科技情报开发与经济2006.16(20)165-166
[13]David L.Hall and James Llinas;An Introduction to Multisensor Data Fusion,In Proceedings of the IEEE,volume 85,January 1997
[14]David L.Hall,James Llnias;Handbook of Mutisensor Data Fusion,CRC Press,2001
[15]Alan N.Steinberg,Christopher L.Bowman,Franklin E.White;Revisions to the JDL Data Fusion Model Paper,CRC Press,2002
[16]张契 大规模分布式入侵检测系统中的数据融合[硕士学位论文]北京:北京邮电大学 2004
[17]陈晓红 决策支持系统理论与应用 北京:清华大学出版社 2000
[18]L.A.Zadeh;Fuzzy Sets,Information and Control,1965.8:338-353.
[19]孙知信,徐红霞 模糊技术在入侵检测系统中的应用研究综述 南京邮电大学学报(自然科学版)2006,26(4):73-78
[20]J.E.Dickerson,J.A.Dickerson;Fuzzy network profiling for intrusion detection,In International Conference of the North American,2000,19(1):301-306
[21]J.E.Dickerson,J.J.uslin,O.Koukou soula et al;Fuzzy intrusion detection,In IFSA World Congress and 20th NAFIPS International Conference,2001,9(3):1506-1510
[22]A.Siraj,S.M.Bridges,R.B.Vaughn;Fuzzy cognitive maps for decision support in an intelligent intrusion detection system,In IFSA World Congress and 20th NAFIPS International Conference,2001,7(4):2165-2170
[23]李之棠,杨红云 模糊入侵检测模型 计算机工程与科学 2000,22(2):49-53
[24]Dublin Core Metadata Element Set,Version 1.1:Reference Description,http://dublincore.org/documents/dces/
[25]Record keeping Metadata standard for Common wealth Agencies,http://www.naa.gov.au/recordkeeping/control/rkms/detailed metadata.html
[26]E-Government Metadata Standard Version 2,http://www.govtalk.gov.uk/schemas standards/
[27]Guide For Managing Electronical Records From an Archival Perspective,http://www.ica.org/biblio/guide_eng.rtf
[28]Dublin Core Metadata for Resource Discovery,RFC 2413.http://www.ietf.org/rfc/rfc2413.txt
[29]彭佳红,沈岳,张林峰 数据挖掘中的特征选择及其算法研究 计算机工程与设计 2005.5 1176-1178
[30]罗铤 面向问题求解的决策支持系统中元数据库的设计与应用研究[硕士学位论文]长沙:中南大学 2004
[31]The Common Intrusion Detection Framework(CIDF),http://gost.isi.edu/cidf/
[32]Rich Feiertag,Cliff Kahn,Phil Porras,Dan Schnackenberg,Boeing Stuart,Staniford-Chen,Silicon Defense,Brian Tung A Common Intrusion Specification Language(CISL),June 1999
[33]Tim Bass;Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection Systems,IRIS National Symposium on Sensor and Data Fusion,May 1999:24-27
[34]徐泽水 模糊互补判断矩阵排序的一种算法 系统工程学报 2001,10(4):312-314
[35]樊治平,胡国奋 模糊判断矩阵一致性逼近及排序方法 运筹与管理 2000,9(3):21-25
[36]徐泽水 一种基于互反判断矩阵的多属性决策信息集成方法 系统工程2002,20(2):93-95
[37]吕跃进,徐改丽,覃菊莹 模糊互补判断矩阵的一种一致性调整方法及其收敛性 模糊系统与数学 2007,21(3):86-92
[38]徐泽水 不确定多属性决策方法及应用 北京:清华大学出版社 2004
[39]Chiclana F,Herrera-Viedma E;Integrating three representation models in fuzzy multipurpose decision making based on fuzzy preference relations,Fuzzy sets and Systems,1998.97:33-48
[40]姚敏,张森 模糊一致矩阵及其在软科学中的应用 系统工程 1997,15(2):54-56
[41]吕跃进 基于模糊一致性矩阵的模糊层次分析法的排序 模糊系统与数学2002,16(2):80-81
[42]Herrera-Viedma E,Chiclana F;Some issue on consistency of fuzzy preference realations,Europearn Journal of Operational Research,2004,154:98-100
[43]Jian Ma,Zhi-Ping Fan,Yan-Ping Jiang,Ji-Ye Mao,Louis Ma;A method for repairing the inconsistency of fuzzy preference relations;Fuzzy sets and Systems,2006,157:20-23
[44]Information security management systems - Requirements,ISO/IEC 27001:2005,Oct 2005
[45]Information technology Security techniques--Requirements for bodies providing audit and certification of information security management systems,ISO/IEC 27006;2007,Feb 2007
[46]曾炜 科学数据库元数据注册系统研究与实现[硕士学位论文]北京:中国科学院计算机网络信息中心 2005
[2]褚永刚,吕慧勤,杨义先等 大规模分布式入侵检测系统的体系结构模型 计算机应用研究 2004,21(12):105-132
[3]The Intrusion Detection Message Exchange Format(IDMEF),RFC 4765,Copyright(C)The IETF Trust(2007),March 2007
[4]The Intrusion Detection Exchange Protocol(IDXP),RFC 4766,Copyright(C)The IETF Trust(2007),March 2007
[5]The Incident Object Description Exchange Format(IODEF),Draft,Extended Incident Handling Working Group,July 31,2007
[6]J.Han,M.Kamber数据挖掘:概念与技术 北京:高等教育出版社 2001.5
[7]U.Fayyad,G Piatetsky-Shapiro,and Padhraic Smyth;Knowledge Discovery and Data Mining:Towards a Unifying Framework,In Proceedings of Second International Conferenceon Knowledge Discovery and Data Mining(KDD-96),AAAI Press,1996
[8]Jiawei Han,Micheline Kamber;Data Mining:Concepts and Techniques,Morgan Kaufmann,San Francisco,LA,2001
[9]沈琦 基于数据挖掘的IDS分析器研究[硕士学位论文]武汉:武汉理工大学2005
[10]向继东 基于数据挖掘的自适应入侵检测建模研究[博士学位论文]武汉:武汉大学2004
[11]叶鹰,金更达 基于元数据的信息组织和基于本体论的知识组织 大学图书馆学报 2004.4 43-47
[12]秦燕 元数据在知识管理各阶段的应用分析 科技情报开发与经济2006.16(20)165-166
[13]David L.Hall and James Llinas;An Introduction to Multisensor Data Fusion,In Proceedings of the IEEE,volume 85,January 1997
[14]David L.Hall,James Llnias;Handbook of Mutisensor Data Fusion,CRC Press,2001
[15]Alan N.Steinberg,Christopher L.Bowman,Franklin E.White;Revisions to the JDL Data Fusion Model Paper,CRC Press,2002
[16]张契 大规模分布式入侵检测系统中的数据融合[硕士学位论文]北京:北京邮电大学 2004
[17]陈晓红 决策支持系统理论与应用 北京:清华大学出版社 2000
[18]L.A.Zadeh;Fuzzy Sets,Information and Control,1965.8:338-353.
[19]孙知信,徐红霞 模糊技术在入侵检测系统中的应用研究综述 南京邮电大学学报(自然科学版)2006,26(4):73-78
[20]J.E.Dickerson,J.A.Dickerson;Fuzzy network profiling for intrusion detection,In International Conference of the North American,2000,19(1):301-306
[21]J.E.Dickerson,J.J.uslin,O.Koukou soula et al;Fuzzy intrusion detection,In IFSA World Congress and 20th NAFIPS International Conference,2001,9(3):1506-1510
[22]A.Siraj,S.M.Bridges,R.B.Vaughn;Fuzzy cognitive maps for decision support in an intelligent intrusion detection system,In IFSA World Congress and 20th NAFIPS International Conference,2001,7(4):2165-2170
[23]李之棠,杨红云 模糊入侵检测模型 计算机工程与科学 2000,22(2):49-53
[24]Dublin Core Metadata Element Set,Version 1.1:Reference Description,http://dublincore.org/documents/dces/
[25]Record keeping Metadata standard for Common wealth Agencies,http://www.naa.gov.au/recordkeeping/control/rkms/detailed metadata.html
[26]E-Government Metadata Standard Version 2,http://www.govtalk.gov.uk/schemas standards/
[27]Guide For Managing Electronical Records From an Archival Perspective,http://www.ica.org/biblio/guide_eng.rtf
[28]Dublin Core Metadata for Resource Discovery,RFC 2413.http://www.ietf.org/rfc/rfc2413.txt
[29]彭佳红,沈岳,张林峰 数据挖掘中的特征选择及其算法研究 计算机工程与设计 2005.5 1176-1178
[30]罗铤 面向问题求解的决策支持系统中元数据库的设计与应用研究[硕士学位论文]长沙:中南大学 2004
[31]The Common Intrusion Detection Framework(CIDF),http://gost.isi.edu/cidf/
[32]Rich Feiertag,Cliff Kahn,Phil Porras,Dan Schnackenberg,Boeing Stuart,Staniford-Chen,Silicon Defense,Brian Tung A Common Intrusion Specification Language(CISL),June 1999
[33]Tim Bass;Multi sensor Data Fusion for Next Generation Distributed Intrusion Detection Systems,IRIS National Symposium on Sensor and Data Fusion,May 1999:24-27
[34]徐泽水 模糊互补判断矩阵排序的一种算法 系统工程学报 2001,10(4):312-314
[35]樊治平,胡国奋 模糊判断矩阵一致性逼近及排序方法 运筹与管理 2000,9(3):21-25
[36]徐泽水 一种基于互反判断矩阵的多属性决策信息集成方法 系统工程2002,20(2):93-95
[37]吕跃进,徐改丽,覃菊莹 模糊互补判断矩阵的一种一致性调整方法及其收敛性 模糊系统与数学 2007,21(3):86-92
[38]徐泽水 不确定多属性决策方法及应用 北京:清华大学出版社 2004
[39]Chiclana F,Herrera-Viedma E;Integrating three representation models in fuzzy multipurpose decision making based on fuzzy preference relations,Fuzzy sets and Systems,1998.97:33-48
[40]姚敏,张森 模糊一致矩阵及其在软科学中的应用 系统工程 1997,15(2):54-56
[41]吕跃进 基于模糊一致性矩阵的模糊层次分析法的排序 模糊系统与数学2002,16(2):80-81
[42]Herrera-Viedma E,Chiclana F;Some issue on consistency of fuzzy preference realations,Europearn Journal of Operational Research,2004,154:98-100
[43]Jian Ma,Zhi-Ping Fan,Yan-Ping Jiang,Ji-Ye Mao,Louis Ma;A method for repairing the inconsistency of fuzzy preference relations;Fuzzy sets and Systems,2006,157:20-23
[44]Information security management systems - Requirements,ISO/IEC 27001:2005,Oct 2005
[45]Information technology Security techniques--Requirements for bodies providing audit and certification of information security management systems,ISO/IEC 27006;2007,Feb 2007
[46]曾炜 科学数据库元数据注册系统研究与实现[硕士学位论文]北京:中国科学院计算机网络信息中心 2005