基于协议分析和免疫原理的入侵检测技术研究
|
摘要
随着计算机网络的结构日趋复杂、规模快速增长,非法入侵不断增多。传统的被动安全防御技术已明显不能满足需要。入侵检测技术作为新一代的安全防御措施,构建了主动的信息安全保障,有效地弥补了传统安全防御技术的不足。
协议分析技术充分利用网络协议探测攻击的存在,大大减少检测过程的计算量,并提高了检测的准确率。但协议分析是基于误用的入侵检测技术,无法检测未知攻击。人工免疫系统保护机体免受各种侵害的机理与入侵检测系统有着天然的相似之处,而它所具有的自适应性、健壮性、分布性等特性正是计算机安全系统所不具有的。因此,基于免疫原理的入侵检测技术研究正成为近几年入侵检测领域研究的热点。
本文将免疫原理与协议分析技术相结合,提出了一种改进的基于协议分析和免疫原理的入侵检测模型,详细设计了数据捕获模块、协议分析模块、检测模块和响应模块。在检测器生成方面,提出了一种改进的否定选择算法,可以消除相互匹配的检测器存在,同时提高未知入侵的检测能力。对免疫算法中抗体的组成结构进行了改进,除了网络数据的基本特征之外,还考虑了基于时间的统计型特征,以便更好地反映攻击数据包之间的内在联系。在检测器编码方面,考虑到正常行为与异常行为之间界限的模糊性,提出了利用模糊概念的编码方案,极大程度的缩小了检测器编码的长度。
选用DARPA 1999入侵检测评估计划提供的数据集进行仿真实验。其中,选取第一周的数据集为训练数据,通过训练生成一定数目的成熟检测器;选取第五周的数据用作测试数据,其中包括若干探测攻击和拒绝服务攻击。实验结果表明:本文所提模型和方法在低误报率的前提下具有良好的检测率。
With the increasing complexity of network structure and rapid growth of network scale, the illegal invasion has been increasing continuously. The traditional passive defence technology cannot maintain the network security effectively. As a new type of security defence technique, intrusion detection system constructs the active information security defence, makes up for the deficiency of traditional passive defence technology effectively.
The protocol analysis method takes good advantage of the regularity of network protocol to detect attack, so the calculation amount can be reduced greatly and the accuracy of detection can be improved. But the protocol analysis method is based on misuse intrusion detection technique, it cannot detect the unkonwn attack. Artificial immune system protects themselves as is very similar with the intrusion detection system. It has adaptability, robust, distribution and so on characteristics which are our present computer security system doesn’t have. Therefore, intrusion detection technology based on immune principles is one of the hot research areas in intrusion detection in recent years.
Immune principle and protocol analysis are combined in this thesis. An improved intrusion detection modul based on immune principle and protocol analysis is proposed. Collecting data module, protocol analysis module, detection module and response module are designed in detail. An improved negative selection algorithm is presented to remove the matched detector and enhance the capability for unknown invasion detection. The structure of antibodg in the immune algorithm is improved. In addition to the basic characteristics of network data, statistical characteristics of time-based are also considered to better reflect the internal evidence between attack packet. For detector coding, considering the fuzzy bourn of normal behavior and abnormal behavior, a coding scheme based on fuzzy concept is put forward, through this coding scheme, the code length of detector could be reduced.
We use the data set supplied by DARPA 1999 Intrusion Detection Evaluation Plan as the network flow samples. The data of 1st week is choosed as the training data, generated a number of mature detectors by training, and the data of 5ve week which includes some DOS and Probing attacks will be detected by this intrusion detection system model. The result of the experiment indicates that this model and method have the well detection rate with low false positive rate.
协议分析技术充分利用网络协议探测攻击的存在,大大减少检测过程的计算量,并提高了检测的准确率。但协议分析是基于误用的入侵检测技术,无法检测未知攻击。人工免疫系统保护机体免受各种侵害的机理与入侵检测系统有着天然的相似之处,而它所具有的自适应性、健壮性、分布性等特性正是计算机安全系统所不具有的。因此,基于免疫原理的入侵检测技术研究正成为近几年入侵检测领域研究的热点。
本文将免疫原理与协议分析技术相结合,提出了一种改进的基于协议分析和免疫原理的入侵检测模型,详细设计了数据捕获模块、协议分析模块、检测模块和响应模块。在检测器生成方面,提出了一种改进的否定选择算法,可以消除相互匹配的检测器存在,同时提高未知入侵的检测能力。对免疫算法中抗体的组成结构进行了改进,除了网络数据的基本特征之外,还考虑了基于时间的统计型特征,以便更好地反映攻击数据包之间的内在联系。在检测器编码方面,考虑到正常行为与异常行为之间界限的模糊性,提出了利用模糊概念的编码方案,极大程度的缩小了检测器编码的长度。
选用DARPA 1999入侵检测评估计划提供的数据集进行仿真实验。其中,选取第一周的数据集为训练数据,通过训练生成一定数目的成熟检测器;选取第五周的数据用作测试数据,其中包括若干探测攻击和拒绝服务攻击。实验结果表明:本文所提模型和方法在低误报率的前提下具有良好的检测率。
With the increasing complexity of network structure and rapid growth of network scale, the illegal invasion has been increasing continuously. The traditional passive defence technology cannot maintain the network security effectively. As a new type of security defence technique, intrusion detection system constructs the active information security defence, makes up for the deficiency of traditional passive defence technology effectively.
The protocol analysis method takes good advantage of the regularity of network protocol to detect attack, so the calculation amount can be reduced greatly and the accuracy of detection can be improved. But the protocol analysis method is based on misuse intrusion detection technique, it cannot detect the unkonwn attack. Artificial immune system protects themselves as is very similar with the intrusion detection system. It has adaptability, robust, distribution and so on characteristics which are our present computer security system doesn’t have. Therefore, intrusion detection technology based on immune principles is one of the hot research areas in intrusion detection in recent years.
Immune principle and protocol analysis are combined in this thesis. An improved intrusion detection modul based on immune principle and protocol analysis is proposed. Collecting data module, protocol analysis module, detection module and response module are designed in detail. An improved negative selection algorithm is presented to remove the matched detector and enhance the capability for unknown invasion detection. The structure of antibodg in the immune algorithm is improved. In addition to the basic characteristics of network data, statistical characteristics of time-based are also considered to better reflect the internal evidence between attack packet. For detector coding, considering the fuzzy bourn of normal behavior and abnormal behavior, a coding scheme based on fuzzy concept is put forward, through this coding scheme, the code length of detector could be reduced.
We use the data set supplied by DARPA 1999 Intrusion Detection Evaluation Plan as the network flow samples. The data of 1st week is choosed as the training data, generated a number of mature detectors by training, and the data of 5ve week which includes some DOS and Probing attacks will be detected by this intrusion detection system model. The result of the experiment indicates that this model and method have the well detection rate with low false positive rate.
引文
[1]中国互联网络信息中心(CNNIC)发布,中国互联网络发展状况统计报告第25次调查.
[2]马传香,李庆华,王卉.入侵检测研究综述[J].计算机工程.2005,31(3):4-6,56.
[3]冯运波.防火墙技术的演变[J].计算机安全.2005,14(05):299-315.
[4] Network ICE whitepaper.Protoeol Analysis vs. PatternMatehing. http://www.anitian.com/corp/papers/default.htm,2005
[5]李信满等.基于应用的高速网络入侵检测系统研究[J].通信学报.2002,9(23):1-7.
[6]李佳静,徐辉,潘爱民,等.入侵检测系统中的协议分析子系统的设计和实现[J].计算机工程与应用.2003,(12):152-155.
[7]李晓莺,曾启铭.利用协议分析提高入侵检测效率[J].计算机工程与应用.2003,(6):169-170.
[8] S. Forrest,et al. A sense of self for unix processes. Proceedings of the 1996 IEEE Symposium on security and Privacy, 1996
[9] S. Forrest,A.S. Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer. Proceedings of IEEE Symposium on Research in Security an Privacy, Oakland, 1994.5
[10] S. Forrest,Steven A Homeyr, Anil Somayaji. Computer Immunology. Communication of the ACM, Vol.40(10),1997
[11] S. Forrest, A.S. Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer. Proceedings of IEEE Symposium on Research in Security an Privacy, Oakland, 1994.5
[12] S. Forrest. et al, (2000)“Immunology as Information Processing”, in Design Principles for Immune Systems and Other Distributed Autonomous Systems, (Ed)
[13] Jungwon Kim,Peter Bentley,The Human Immune System and Network Intrusion Detection[C].EUFIT’99,Aechen,Germany,1999:13-19.
[14] Jungwon Kim,Peter Bentley.Immune Memory and Gene Library Evolution in the Dynamic Clonal Selection Algorithm[J].Genetic Programming and Evolvable Machines.2004,5(4):361-391.
[15] Jungwon Kim,Peter Bentley.A model of Gene Library Evolution in the Dynamic Clonal Selection Algorithm[C].ICARIS,Canterbury,England,2002:175-182.
[16] Jungwon Kim.Integrating Artificial Immune Algorithms for Intrusion Detection[D].University College London.2002.
[17]谢勍.计算机网络入侵检测技术探讨[J].科学技术与工程.2008,8(1):229-232.
[18]蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述[J].软件学报.2000,11(11):1460-1467.
[19]陈瑾,罗敏.入侵检测技术概述[J].计算机工程与应用.2004,(2):133-136.
[20]吴建新.入侵检测技术概述[J].网络通讯与安全.2005,(8):45-47.
[21]张超,霍红卫等.入侵检测系统概述[J].网络通讯与安全.2004,(3):116-119.
[22]王永全.入侵检测系统(IDS)的研究现状和展望[J].通信技术.2008,11(41):139-143,146.
[23]魏宇欣,武穆清.智能网格入侵检测系统[J].软件学报.2006,17(11):2384-2394.
[24] W.Richard Steven,范建华,青光辉,张淘等译.TCP/IP详解卷1[M].北京:机械工业出版社.2009.
[25] W.Richard Steven,陆雪盈,蒋惠等译.TCP/IP详解卷2[M].北京:机械工业出版社.2009.
[26]杨小平,苏静.基于协议分析的入侵检测技术研究[J].计算机应用研究.2004,(2):108-110.
[27]田伟.基于协议分析的网络入侵检测系统研究[D].南京信息工程大学硕士学位论文.2007.
[28]罗桂琼.基于协议分析的入侵检测系统[J].电脑与信息技术.2005,13(4):56-59.
[29]肖锋,杨树堂,陆松年,李建华.基于人工免疫的入侵检测模型研究[J].计算机应用与软件.2008,25(2):259-260.
[30]李涛.计算机免疫学[M].北京:电子工业出版社.2004.
[31]李晓如.一种基于免疫原理的入侵检测系统研究[D].山西大学硕士学位论文.2006.
[32]韩东海,王超,李群.入侵检测系统实例剖析[M].北京:清华大学出版社.2002.
[33]唐正军.网络入侵检测系统的设计与实现[M].北京:电子工业出版社.2002.
[34] http://www.winpcap.org/
[35]胡晓元,史浩山.WinPcap包截获系统的分析及其应用[J].计算机工程.2005,31(2):96-98.
[36]刘文涛.网络安全开发包详解[M] .北京:电子工业出版社.2005.
[37]余生晨,王树,高晓燕等.网络入侵检测系统中的最佳特征组合选择方法[J].计算机工程.2008,34(1):150-152.
[38]阙夏.连续属性离散化方法研究[D].合肥工业大学硕士论文.2006.
[39]王石青,邱林,王志良等.确定隶属函数的统计分析法[J].华北水利水电学院学报.2002, 23(1):68-71.
[40]张虹,蔡焕夫,高平安,等.基于r-连续位匹配规则的入侵检测研究[J].计算机工程与设计.2007,28(7):1532-1534.
[41]黄均才,王凤碧,罗讯,佘塑,周明天.基于人工免疫的新型入侵检测系统研究[J].电子科技大学学报.2006,22(1):45-51.
[42]鲁云平,宋军,姚雪梅,基于免疫原理的网络入侵检测算法改进[J].计算机科学.2008,35(9):116-118.
[43]刘衍珩,田大新,余雪岗,等.基于分布式学习的大规模网络入侵检测算法[J].软件学报.2008,19(4):993-1003.
[44]邵先供,石鹏,王育民.入侵检测响应系统分析与研究[J].网络安全技术与应用.2003,(9):40-43.
[45] http://www.ll.mit.edu/mission/communications/ist/index.html
[46]洪世界.基于序列模式挖掘的入侵检测研究[D].江苏大学硕士学位论文.2009.
[2]马传香,李庆华,王卉.入侵检测研究综述[J].计算机工程.2005,31(3):4-6,56.
[3]冯运波.防火墙技术的演变[J].计算机安全.2005,14(05):299-315.
[4] Network ICE whitepaper.Protoeol Analysis vs. PatternMatehing. http://www.anitian.com/corp/papers/default.htm,2005
[5]李信满等.基于应用的高速网络入侵检测系统研究[J].通信学报.2002,9(23):1-7.
[6]李佳静,徐辉,潘爱民,等.入侵检测系统中的协议分析子系统的设计和实现[J].计算机工程与应用.2003,(12):152-155.
[7]李晓莺,曾启铭.利用协议分析提高入侵检测效率[J].计算机工程与应用.2003,(6):169-170.
[8] S. Forrest,et al. A sense of self for unix processes. Proceedings of the 1996 IEEE Symposium on security and Privacy, 1996
[9] S. Forrest,A.S. Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer. Proceedings of IEEE Symposium on Research in Security an Privacy, Oakland, 1994.5
[10] S. Forrest,Steven A Homeyr, Anil Somayaji. Computer Immunology. Communication of the ACM, Vol.40(10),1997
[11] S. Forrest, A.S. Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer. Proceedings of IEEE Symposium on Research in Security an Privacy, Oakland, 1994.5
[12] S. Forrest. et al, (2000)“Immunology as Information Processing”, in Design Principles for Immune Systems and Other Distributed Autonomous Systems, (Ed)
[13] Jungwon Kim,Peter Bentley,The Human Immune System and Network Intrusion Detection[C].EUFIT’99,Aechen,Germany,1999:13-19.
[14] Jungwon Kim,Peter Bentley.Immune Memory and Gene Library Evolution in the Dynamic Clonal Selection Algorithm[J].Genetic Programming and Evolvable Machines.2004,5(4):361-391.
[15] Jungwon Kim,Peter Bentley.A model of Gene Library Evolution in the Dynamic Clonal Selection Algorithm[C].ICARIS,Canterbury,England,2002:175-182.
[16] Jungwon Kim.Integrating Artificial Immune Algorithms for Intrusion Detection[D].University College London.2002.
[17]谢勍.计算机网络入侵检测技术探讨[J].科学技术与工程.2008,8(1):229-232.
[18]蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述[J].软件学报.2000,11(11):1460-1467.
[19]陈瑾,罗敏.入侵检测技术概述[J].计算机工程与应用.2004,(2):133-136.
[20]吴建新.入侵检测技术概述[J].网络通讯与安全.2005,(8):45-47.
[21]张超,霍红卫等.入侵检测系统概述[J].网络通讯与安全.2004,(3):116-119.
[22]王永全.入侵检测系统(IDS)的研究现状和展望[J].通信技术.2008,11(41):139-143,146.
[23]魏宇欣,武穆清.智能网格入侵检测系统[J].软件学报.2006,17(11):2384-2394.
[24] W.Richard Steven,范建华,青光辉,张淘等译.TCP/IP详解卷1[M].北京:机械工业出版社.2009.
[25] W.Richard Steven,陆雪盈,蒋惠等译.TCP/IP详解卷2[M].北京:机械工业出版社.2009.
[26]杨小平,苏静.基于协议分析的入侵检测技术研究[J].计算机应用研究.2004,(2):108-110.
[27]田伟.基于协议分析的网络入侵检测系统研究[D].南京信息工程大学硕士学位论文.2007.
[28]罗桂琼.基于协议分析的入侵检测系统[J].电脑与信息技术.2005,13(4):56-59.
[29]肖锋,杨树堂,陆松年,李建华.基于人工免疫的入侵检测模型研究[J].计算机应用与软件.2008,25(2):259-260.
[30]李涛.计算机免疫学[M].北京:电子工业出版社.2004.
[31]李晓如.一种基于免疫原理的入侵检测系统研究[D].山西大学硕士学位论文.2006.
[32]韩东海,王超,李群.入侵检测系统实例剖析[M].北京:清华大学出版社.2002.
[33]唐正军.网络入侵检测系统的设计与实现[M].北京:电子工业出版社.2002.
[34] http://www.winpcap.org/
[35]胡晓元,史浩山.WinPcap包截获系统的分析及其应用[J].计算机工程.2005,31(2):96-98.
[36]刘文涛.网络安全开发包详解[M] .北京:电子工业出版社.2005.
[37]余生晨,王树,高晓燕等.网络入侵检测系统中的最佳特征组合选择方法[J].计算机工程.2008,34(1):150-152.
[38]阙夏.连续属性离散化方法研究[D].合肥工业大学硕士论文.2006.
[39]王石青,邱林,王志良等.确定隶属函数的统计分析法[J].华北水利水电学院学报.2002, 23(1):68-71.
[40]张虹,蔡焕夫,高平安,等.基于r-连续位匹配规则的入侵检测研究[J].计算机工程与设计.2007,28(7):1532-1534.
[41]黄均才,王凤碧,罗讯,佘塑,周明天.基于人工免疫的新型入侵检测系统研究[J].电子科技大学学报.2006,22(1):45-51.
[42]鲁云平,宋军,姚雪梅,基于免疫原理的网络入侵检测算法改进[J].计算机科学.2008,35(9):116-118.
[43]刘衍珩,田大新,余雪岗,等.基于分布式学习的大规模网络入侵检测算法[J].软件学报.2008,19(4):993-1003.
[44]邵先供,石鹏,王育民.入侵检测响应系统分析与研究[J].网络安全技术与应用.2003,(9):40-43.
[45] http://www.ll.mit.edu/mission/communications/ist/index.html
[46]洪世界.基于序列模式挖掘的入侵检测研究[D].江苏大学硕士学位论文.2009.