人工免疫在入侵检测系统中的应用研究
|
摘要
互联网发展到今天,黑客攻击越来越普遍,使用技术越来越高级,使整个网络安全形势愈加严峻。现有技术在一定程度上缓解了这种压力,但是对于精心策划的黑客攻击,尤其是以前从未出现过的入侵方式、方法,因其缺乏很好的动态性和自适应性而效果不佳。
生物的免疫系统能成功的使生物体免受生物体外数量巨大、种类繁多的病菌的侵袭。所以,当前不少计算机工作者开始研究与思考生物免疫的工作机制,并在研究的基础上提出了人工免疫的模型用于解决类似错误分析、病毒检测、入侵检测等计算机安全问题。
在这些安全领域内,入侵检测是最具挑战的。入侵检测的主要目标是用于检测非授权误用以及系统内部与外部的入侵行为。目前,存在各种各样的入侵检测系统,但这些检测系统总是存在这样或是那样的问题,从生物免疫系统成功保护生物体得到提示,我们可以仿生生物免疫系统实现一个人工免疫系统,然后将人工免疫系统植入入侵检测系统。
生物免疫系统中的一些机制以其良好的自适应性和动态性被计算机网络安全领域的研究人员用来设计基于免疫的入侵检测系统,并取得了令人鼓舞的成绩。但是,传统基于免疫的入侵检测对于正常行为和非正常行为的定义仅限一次,无法根据实际网络环境中的变化做出调整。缺乏定量描述也是目前一些计算机免疫系统存在的问题,给实际应用带来了困难。
本文主要的工作在于提出了一种新的基于免疫的动态入侵检测模型。在新模型中,未成熟检测器的生成采用了通过自体或非自体变异的方法来生成,通过这种方法生成的未成熟检测器有着更强的针对性和更高的成活率。新模型采用了基于误用检测和异常检测相结合的方法,克服了采用单一技术的缺点,从而提高了系统检测的效率。另外,在新模型中,自体集的定义采用了一种动态化的过程,它能更加全面的反映网络中的正常数据,克服了自体集覆盖概率小的缺点。
最后,对所提的新模型进行了仿真实验,通过对实验结果的分析,证明了改进后的模型和方法在成熟检测器的生成效率上明显高于传统的方法,另外新模型在入侵检测的检测效率上也有着很高的检测效率。
Nowadays, the Internet has been developing rapidly. However, the realities that attacks lunched by hackers become more and more, and the techniques they use become more sophisticated, make the network security under a severe pressure. The techniques developed to protect the network have a bad performance when confronting sophisticated attacks, especially the intrusions have never occured before , because of the lack of adaptability and dynamics.
The biological immune system is successful at protecting the animal body against a vast variety of foreign infectious. A growing number of computer scientist have carefully studied the success of this competent natural mechanism and proposed computer immune models for solving various problems including fault diagnosis, virus detection, and mortgage fraud detection.
Among these various areas, intrusion detection is vigorous research areas. The main goal of intrusion detection is to detect unauthorized use, misuse and abuse of computer systems by both system insiders and external intruders. Currently many network-based intrusion detection system have been developed using diverse approaches. Nevertheless, there still remain unsolved problems to build an effective network-based intrusion detection system. As one approach (embed artificial immune system in intrusion detection system) of providing the solution of these problems.
More and more researchers working on network security start to apply the mechanisms derived from biological immune system into IDS due to their adaptability and dynamics, and some significant successes are gained. However, the once definition of normal and abnormal activities makes these Immune-based IDS not adaptive in the real network environment. Moreover, the lack of descriptions for quantitive in some Immune-based ID models makes them difficult for engineering application.
The main work in this paper is that a new immune based dynamic intrusion detection model is proposed. In this model, the immaturity detector is made by the method of the aberrance of self or nonself, the immaturity detector made by; this method has stronger pertinence and higher rate of survival. The new model adopt the method with integrate of detect based on misuse and detect based on abnormity, it overcome the defect of used single technique, and improves the detect efficiency of system. In addition, the definition of self used a dynamic process, and this self set can reflect the normal data of network more all-sided, and it overcome the low percentage of coverage detect for self muster.
At last, simulation experiment for this new model is did, through the analysis of the result for simulation experiment, it proves that the new model and method has higher rate in making matured detector than the traditional model and method, and the new model also has higher detecting rate on intrusion detection.
生物的免疫系统能成功的使生物体免受生物体外数量巨大、种类繁多的病菌的侵袭。所以,当前不少计算机工作者开始研究与思考生物免疫的工作机制,并在研究的基础上提出了人工免疫的模型用于解决类似错误分析、病毒检测、入侵检测等计算机安全问题。
在这些安全领域内,入侵检测是最具挑战的。入侵检测的主要目标是用于检测非授权误用以及系统内部与外部的入侵行为。目前,存在各种各样的入侵检测系统,但这些检测系统总是存在这样或是那样的问题,从生物免疫系统成功保护生物体得到提示,我们可以仿生生物免疫系统实现一个人工免疫系统,然后将人工免疫系统植入入侵检测系统。
生物免疫系统中的一些机制以其良好的自适应性和动态性被计算机网络安全领域的研究人员用来设计基于免疫的入侵检测系统,并取得了令人鼓舞的成绩。但是,传统基于免疫的入侵检测对于正常行为和非正常行为的定义仅限一次,无法根据实际网络环境中的变化做出调整。缺乏定量描述也是目前一些计算机免疫系统存在的问题,给实际应用带来了困难。
本文主要的工作在于提出了一种新的基于免疫的动态入侵检测模型。在新模型中,未成熟检测器的生成采用了通过自体或非自体变异的方法来生成,通过这种方法生成的未成熟检测器有着更强的针对性和更高的成活率。新模型采用了基于误用检测和异常检测相结合的方法,克服了采用单一技术的缺点,从而提高了系统检测的效率。另外,在新模型中,自体集的定义采用了一种动态化的过程,它能更加全面的反映网络中的正常数据,克服了自体集覆盖概率小的缺点。
最后,对所提的新模型进行了仿真实验,通过对实验结果的分析,证明了改进后的模型和方法在成熟检测器的生成效率上明显高于传统的方法,另外新模型在入侵检测的检测效率上也有着很高的检测效率。
Nowadays, the Internet has been developing rapidly. However, the realities that attacks lunched by hackers become more and more, and the techniques they use become more sophisticated, make the network security under a severe pressure. The techniques developed to protect the network have a bad performance when confronting sophisticated attacks, especially the intrusions have never occured before , because of the lack of adaptability and dynamics.
The biological immune system is successful at protecting the animal body against a vast variety of foreign infectious. A growing number of computer scientist have carefully studied the success of this competent natural mechanism and proposed computer immune models for solving various problems including fault diagnosis, virus detection, and mortgage fraud detection.
Among these various areas, intrusion detection is vigorous research areas. The main goal of intrusion detection is to detect unauthorized use, misuse and abuse of computer systems by both system insiders and external intruders. Currently many network-based intrusion detection system have been developed using diverse approaches. Nevertheless, there still remain unsolved problems to build an effective network-based intrusion detection system. As one approach (embed artificial immune system in intrusion detection system) of providing the solution of these problems.
More and more researchers working on network security start to apply the mechanisms derived from biological immune system into IDS due to their adaptability and dynamics, and some significant successes are gained. However, the once definition of normal and abnormal activities makes these Immune-based IDS not adaptive in the real network environment. Moreover, the lack of descriptions for quantitive in some Immune-based ID models makes them difficult for engineering application.
The main work in this paper is that a new immune based dynamic intrusion detection model is proposed. In this model, the immaturity detector is made by the method of the aberrance of self or nonself, the immaturity detector made by; this method has stronger pertinence and higher rate of survival. The new model adopt the method with integrate of detect based on misuse and detect based on abnormity, it overcome the defect of used single technique, and improves the detect efficiency of system. In addition, the definition of self used a dynamic process, and this self set can reflect the normal data of network more all-sided, and it overcome the low percentage of coverage detect for self muster.
At last, simulation experiment for this new model is did, through the analysis of the result for simulation experiment, it proves that the new model and method has higher rate in making matured detector than the traditional model and method, and the new model also has higher detecting rate on intrusion detection.
引文
[1] [美]Terry Escamilla,入侵者检测.北京,电子工业出版社,1999.7.
[2] http://www.cse.sc.edu/research/isl/mirrorIDSbibl.shtml
[3] http://www.cse.sc.edu/research/isl/mirrorSobireys.shtml
[4] 杨义先,钮心忻,任金强编著.《信息安全新技术》.北京,北京邮电大学出版社,2001
[5] 鲁云平.基于免疫原理的网络入侵检测技术研究:[硕士学位论文].重庆:重庆大学 2003
[6] Erbacher R F, Walker K L, Frincke D A. Intrusion and misuse detection in large-scale systems[J]. IEEE Computer Graphics and Applications, 2002, 22(1):38-47.
[7] Chinchani R, Upadhyaya S, Kwiat K. Towards the scalable implementation of a user level anomaly detection system[A]. In Proceedings of IEEE Military Communications Conference (MILCOM 2002)[C]. 2002, 2:1503-1508.
[8] Christoph G q Jackson K A, Neuman M C, et al. UNICORN: Misuse detection for LJNICOS[R].Los Alamos National Laboratory, 1995.
[9] Garcia R C, Cannady J. Boundary expansion of expert systems: incorporating evolutionary computation with intrusion detection solutions[A]. In Proceedings of IEEE SoutheastCon[C]. 2001:96-99.
[10] Lunt T.IDES: An intelligent System for Detecting Intruders[A]. In Proceedings of the Symposium: Computer Security, Threat and Countermeasures[C]. Roma, Italy: 1990:
[11] Jackson K A, Dubois D H, Stallings C A. NADIR-A Prototype Network Intrusion Detection System[R].LA-UR-90-3726, Los Alamos National Laboratory, 1990.
[12] Esmaili M, Balachandran B, Safavi-Naini R. Case-Based Reasoning for Intrusion Detection[A]. In Proceedings of the 12th Annual Computer Security Applications Conference[C]. San Diego California: 1996.
[13] Upadhyaya S, Chinchani R, Kwiat K.An analytical framework for reasoning about intrusions[A].In Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems[C]. 2001:99-108.
[14] Ilgun K, Kemmerer R, Porras P.State Transition Analysis: A Rule-Based Intrusion Detection Approach[J]. IEEE Transactions on Software Engineering, 1995:181-199.
[15] Ilgun K, USTAT: A Real-Time Intrusion Detection System for UNIX[A]. In Proceedings of the IEEE Symposium on Security and Privacy[C]. 1993:16-29.
[16] Ilgun K, USTAT: a real-time intrusion detection system for UNIX[D]. Santa Barbara: Department of Computer Science, University of California, 1992.
[17] 蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述明.软件学报[J]2000,11(11):1460-1466.
[18] Tan K M C, Maxion R A. Determining the operational limits of an anomaly-based intrusion detector[J].IEEE Journal on Selected Areas in Communications, 2003, 21(1): 96-110.
[19] Estevez-Tapiador J M, Garcia-Teodoro P, Diaz-Verdejo J E. Stochastic protocol modeling for anomaly based network intrusion detection[A].In Proceedings of the First IEEE International Workshop on Information Assurance(IWIAS 2003)[C]. 2003: 3-12.
[20] Yeung D Y, Ding Y X. Host-based intrusion detection using dynamic and static behavioral models[J]. Pattern Recognition, 2003, 36(1): 229-243.
[21] Zhen L, Florez q Bridges S M.A comparison of input representations in neural networks: a case study in intrusion detection[A]. In Proceedings of the 2002 International Joint Conference on Neural Networks(IJCNN'02)[C]. 2002, 2: 1708-1713.
[22] Hofinann A, Sick B. Evolutionary optimization of radial basis function networks for intrusion detection[A]. In Proceedings of the International Joint Conference on Neural Networks[C]. 2003, 1: 415-420.
[23] Jiang J, Zhang C L, Kamel M. RBF-based real time hierarchical intrusion detection systems[A]. In Proceedings of the International Joint Conference on Neural Networks[C]. 2003, 2: 1512-1516.
[24] Lee W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. Columbia University: Computer Science Department, 1999.
[25] Wenke L, Stolfo S J, than P K, et al. Real time data mining-based intrusion detection[A]. In Proceedings of DARPA Information Survivability Conference & Exposition Ⅱ(DISCEX'O1)[C]. 2001, 1: 89-100.
[26] Guralnik V, Karypis G..A scalable algorithm for clustering sequential data[A].In Proceedings of IEEE International Conference on Data Mining (ICDM 2001)[C]. 2001:179-186.
[27] 曹先彬,刘克胜,王煦法.基于免疫遗传算法的装箱问题求解.小型微型计算机系统.2000.4.Uol.21.No.4.362363
[28] De Castro, L. N, AND Von Zuben, F. J, Artificial Immune System: Part 1 Basic Theory and Applications, technical Report RT DCA 01/99, FEEC/UN CAMP, Brazil, 1999
[29] Fabi o Gonzalez, A Study of Artificial Immune Systems applied to Anomaly Detection. A Dissertation presented for the Doctor of Philosophy Degree, The University of Memphis, May 2003
[30] Kim J. W, Integrating Artificial Immune Algorithms for Intrusion Detection, PhD Thesis, Department of Computer Science, University College London,2002
[31] 李涛著.计算机免疫学 北京:电子工业出版社,2004.
[2] http://www.cse.sc.edu/research/isl/mirrorIDSbibl.shtml
[3] http://www.cse.sc.edu/research/isl/mirrorSobireys.shtml
[4] 杨义先,钮心忻,任金强编著.《信息安全新技术》.北京,北京邮电大学出版社,2001
[5] 鲁云平.基于免疫原理的网络入侵检测技术研究:[硕士学位论文].重庆:重庆大学 2003
[6] Erbacher R F, Walker K L, Frincke D A. Intrusion and misuse detection in large-scale systems[J]. IEEE Computer Graphics and Applications, 2002, 22(1):38-47.
[7] Chinchani R, Upadhyaya S, Kwiat K. Towards the scalable implementation of a user level anomaly detection system[A]. In Proceedings of IEEE Military Communications Conference (MILCOM 2002)[C]. 2002, 2:1503-1508.
[8] Christoph G q Jackson K A, Neuman M C, et al. UNICORN: Misuse detection for LJNICOS[R].Los Alamos National Laboratory, 1995.
[9] Garcia R C, Cannady J. Boundary expansion of expert systems: incorporating evolutionary computation with intrusion detection solutions[A]. In Proceedings of IEEE SoutheastCon[C]. 2001:96-99.
[10] Lunt T.IDES: An intelligent System for Detecting Intruders[A]. In Proceedings of the Symposium: Computer Security, Threat and Countermeasures[C]. Roma, Italy: 1990:
[11] Jackson K A, Dubois D H, Stallings C A. NADIR-A Prototype Network Intrusion Detection System[R].LA-UR-90-3726, Los Alamos National Laboratory, 1990.
[12] Esmaili M, Balachandran B, Safavi-Naini R. Case-Based Reasoning for Intrusion Detection[A]. In Proceedings of the 12th Annual Computer Security Applications Conference[C]. San Diego California: 1996.
[13] Upadhyaya S, Chinchani R, Kwiat K.An analytical framework for reasoning about intrusions[A].In Proceedings of the 20th IEEE Symposium on Reliable Distributed Systems[C]. 2001:99-108.
[14] Ilgun K, Kemmerer R, Porras P.State Transition Analysis: A Rule-Based Intrusion Detection Approach[J]. IEEE Transactions on Software Engineering, 1995:181-199.
[15] Ilgun K, USTAT: A Real-Time Intrusion Detection System for UNIX[A]. In Proceedings of the IEEE Symposium on Security and Privacy[C]. 1993:16-29.
[16] Ilgun K, USTAT: a real-time intrusion detection system for UNIX[D]. Santa Barbara: Department of Computer Science, University of California, 1992.
[17] 蒋建春,马恒太,任党恩,等.网络安全入侵检测:研究综述明.软件学报[J]2000,11(11):1460-1466.
[18] Tan K M C, Maxion R A. Determining the operational limits of an anomaly-based intrusion detector[J].IEEE Journal on Selected Areas in Communications, 2003, 21(1): 96-110.
[19] Estevez-Tapiador J M, Garcia-Teodoro P, Diaz-Verdejo J E. Stochastic protocol modeling for anomaly based network intrusion detection[A].In Proceedings of the First IEEE International Workshop on Information Assurance(IWIAS 2003)[C]. 2003: 3-12.
[20] Yeung D Y, Ding Y X. Host-based intrusion detection using dynamic and static behavioral models[J]. Pattern Recognition, 2003, 36(1): 229-243.
[21] Zhen L, Florez q Bridges S M.A comparison of input representations in neural networks: a case study in intrusion detection[A]. In Proceedings of the 2002 International Joint Conference on Neural Networks(IJCNN'02)[C]. 2002, 2: 1708-1713.
[22] Hofinann A, Sick B. Evolutionary optimization of radial basis function networks for intrusion detection[A]. In Proceedings of the International Joint Conference on Neural Networks[C]. 2003, 1: 415-420.
[23] Jiang J, Zhang C L, Kamel M. RBF-based real time hierarchical intrusion detection systems[A]. In Proceedings of the International Joint Conference on Neural Networks[C]. 2003, 2: 1512-1516.
[24] Lee W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. Columbia University: Computer Science Department, 1999.
[25] Wenke L, Stolfo S J, than P K, et al. Real time data mining-based intrusion detection[A]. In Proceedings of DARPA Information Survivability Conference & Exposition Ⅱ(DISCEX'O1)[C]. 2001, 1: 89-100.
[26] Guralnik V, Karypis G..A scalable algorithm for clustering sequential data[A].In Proceedings of IEEE International Conference on Data Mining (ICDM 2001)[C]. 2001:179-186.
[27] 曹先彬,刘克胜,王煦法.基于免疫遗传算法的装箱问题求解.小型微型计算机系统.2000.4.Uol.21.No.4.362363
[28] De Castro, L. N, AND Von Zuben, F. J, Artificial Immune System: Part 1 Basic Theory and Applications, technical Report RT DCA 01/99, FEEC/UN CAMP, Brazil, 1999
[29] Fabi o Gonzalez, A Study of Artificial Immune Systems applied to Anomaly Detection. A Dissertation presented for the Doctor of Philosophy Degree, The University of Memphis, May 2003
[30] Kim J. W, Integrating Artificial Immune Algorithms for Intrusion Detection, PhD Thesis, Department of Computer Science, University College London,2002
[31] 李涛著.计算机免疫学 北京:电子工业出版社,2004.