一种基于免疫原理的入侵检测系统研究
|
摘要
由于互联网的高速发展,网络安全问题日益突出。相对于静态的、基于包过滤策略的防火墙技术,入侵检测技术是一种动态的、以数据分析与处理为核心的网络安全技术,通过收集和分析计算机网络系统中若干关键点的信息,检查网络系统中是否存在违反安全策略的行为。
由于计算机防御入侵的特性和生物体有着天然的相似之处,人工免疫系统成功保护机体免受各种侵害的机理为研究计算机安全提供了重要的依据。从信息学角度来看,人工免疫系统实质上是一个大规模的信息处理系统,它具有分布性、自适应性、健壮性等良好特性,而这正是目前计算机安全系统所不具备的。因而,基于免疫机理的入侵检测系统的研究成为近年来入侵检测领域研究的热点。
本文正是在系统分析前人研究的基础上提出了一种基于免疫原理的入侵检测系统。在该系统中,主要完成了两部分的工作:一是对免疫算法中抗体的组成结构进行了改进,并将改进后的抗体用于本文所提出的系统中;二是引入了协议分析技术,提出了一种基于分类思想的人工免疫入侵检测系统模型。
网络上的数据纷繁复杂,攻击类型多种多样,在将免疫原理应用于入侵检测时,必须要考虑如何使抗体的结构能真实的反映网络数据的特征。在以往的研究中,抗体的结构组成仅局限于使用协议类型、IP地址和端口号,这样,一些针对应用层的攻击就无法检测到。而且,以往研究所使用的实验数据都是人工数据,在大量的攻击包中加入少量的正常数据,以此对提出的模型进行验证,所以,这样得出的结果不具有可信度。本文正是对抗体的结构进行了改进,使之能真实地反映网络数据的特征。在该结构中,除了有传统的协议类型、IP地址和端口号,还纳入了传输层的部分数据内容用以反映应用层的情况,以此来更加详细地描述网络的真实特征。最后,用真实的网络实验数据进行了验证。
同自然免疫系统一样,人工免疫入侵检测系统的核心任务是区分“自我”及“非我”。“自我”是指正常的网络系统行为,而“非我”是指异常行为。基于网络的入侵检测系统就是要在大量的网络数据中区分出“自我”和“非我”。由于协议分析技术可以对数据进行协议解码,再调用相应的规则集进行检测,所以对数据的处理具有很强的针对性,能有效提高检测效率和检测的准确性。因此,本文将协议分析技术和免疫原理相结合应用于入侵检测系统中。该系统包括三个主要模块:记忆细胞检测模块、成熟细胞检测模块和未成熟细胞的耐受模块。用协议分析的方法对原始数据预处理,实现数据的细化,然后分类耐受、分类检测。这样,改进了以往系统检测数据范围太广,不具有针对性的特点。
生物免疫系统机理研究仍处于发展与完善中,计算机免疫系统的研究也处于刚刚兴起阶段,本文提出的模型仍需要进一步的改进,如何引入更多的免疫机制以及进一步提高系统的检测速率将是下一步研究的方向。
With the rapid development of Internet, network security becomes more and more important. Compared with the firewall technology with static and filtrating tactics, the intrusion detection is one kind of network security technology which is dynamic and with the core of data analyzing and handing. The intrusion detection technology is collecting and analyzing enormous key information among computer network systems in order to examine whether there exists the violating security-tactics behavior among network systems.
Computers protect themselves to avoid being attacked, as is very similar with the biological immune system. This kind of immune system provides important basis for studying computers security. In fact, artificial immune system is one system which handles huge data .It has distribution, adaptability, robust and so on characteristics. However, our present computer security system doesn't have these characteristics. Thus, it is a key research to study intrusion detection system based on immune principle.
This article advances a kind of intrusion detection system based on immune principle. In this system, two parts of assignments are finished. One part is advancing antibody structure in immune algorithm, the other one is using protocol analysis technology and raising a kind of artificial immune intrusion detection system that is based on classification.
It is because of enormous data and variety attacking types, we must think about how to make antibody structure reflect network data's characteristics. In past research, antibody structure only included protocol, Ip address and port, thus, some attacks pointing to applied layers couldn't be found. At the mean time, experimental data in past research were artificial data, which was added few normal data in plenty of attacking data, then they verified their models, thus, the results had no persuasion. In antibody structure, besides variety protocol, Ip address, port, the author still adds some data with applied layer. Finally, she uses real network data in the experiment.
Artificial immune intrusion detection system is as the same as natural immune system, its main task is to differentiate self from nonself. Self means normal network system behavior, while nonself means abnormal behavior. Intrusion detection system based on network is differentiate self from nonself among huge network data. Protocol analysis technology can decode data and can examine theirs principles, thus it can discover attacks correctly. It is the reason that protocol analysis technology and immune principle are applied in intrusion detection system in this article. The intrusion detection system is mainly composed of memory cell model, mature cell model and immature cell model. Using protocol analysis handles data. It can improve the defects of past systems.
Biological immune system is still developing and the research of computer immune system is in the initial stages, therefore, the model this article advances needs to be improved. How to introduce more immune principles and how to improve detectable rate of system are the future researching.
由于计算机防御入侵的特性和生物体有着天然的相似之处,人工免疫系统成功保护机体免受各种侵害的机理为研究计算机安全提供了重要的依据。从信息学角度来看,人工免疫系统实质上是一个大规模的信息处理系统,它具有分布性、自适应性、健壮性等良好特性,而这正是目前计算机安全系统所不具备的。因而,基于免疫机理的入侵检测系统的研究成为近年来入侵检测领域研究的热点。
本文正是在系统分析前人研究的基础上提出了一种基于免疫原理的入侵检测系统。在该系统中,主要完成了两部分的工作:一是对免疫算法中抗体的组成结构进行了改进,并将改进后的抗体用于本文所提出的系统中;二是引入了协议分析技术,提出了一种基于分类思想的人工免疫入侵检测系统模型。
网络上的数据纷繁复杂,攻击类型多种多样,在将免疫原理应用于入侵检测时,必须要考虑如何使抗体的结构能真实的反映网络数据的特征。在以往的研究中,抗体的结构组成仅局限于使用协议类型、IP地址和端口号,这样,一些针对应用层的攻击就无法检测到。而且,以往研究所使用的实验数据都是人工数据,在大量的攻击包中加入少量的正常数据,以此对提出的模型进行验证,所以,这样得出的结果不具有可信度。本文正是对抗体的结构进行了改进,使之能真实地反映网络数据的特征。在该结构中,除了有传统的协议类型、IP地址和端口号,还纳入了传输层的部分数据内容用以反映应用层的情况,以此来更加详细地描述网络的真实特征。最后,用真实的网络实验数据进行了验证。
同自然免疫系统一样,人工免疫入侵检测系统的核心任务是区分“自我”及“非我”。“自我”是指正常的网络系统行为,而“非我”是指异常行为。基于网络的入侵检测系统就是要在大量的网络数据中区分出“自我”和“非我”。由于协议分析技术可以对数据进行协议解码,再调用相应的规则集进行检测,所以对数据的处理具有很强的针对性,能有效提高检测效率和检测的准确性。因此,本文将协议分析技术和免疫原理相结合应用于入侵检测系统中。该系统包括三个主要模块:记忆细胞检测模块、成熟细胞检测模块和未成熟细胞的耐受模块。用协议分析的方法对原始数据预处理,实现数据的细化,然后分类耐受、分类检测。这样,改进了以往系统检测数据范围太广,不具有针对性的特点。
生物免疫系统机理研究仍处于发展与完善中,计算机免疫系统的研究也处于刚刚兴起阶段,本文提出的模型仍需要进一步的改进,如何引入更多的免疫机制以及进一步提高系统的检测速率将是下一步研究的方向。
With the rapid development of Internet, network security becomes more and more important. Compared with the firewall technology with static and filtrating tactics, the intrusion detection is one kind of network security technology which is dynamic and with the core of data analyzing and handing. The intrusion detection technology is collecting and analyzing enormous key information among computer network systems in order to examine whether there exists the violating security-tactics behavior among network systems.
Computers protect themselves to avoid being attacked, as is very similar with the biological immune system. This kind of immune system provides important basis for studying computers security. In fact, artificial immune system is one system which handles huge data .It has distribution, adaptability, robust and so on characteristics. However, our present computer security system doesn't have these characteristics. Thus, it is a key research to study intrusion detection system based on immune principle.
This article advances a kind of intrusion detection system based on immune principle. In this system, two parts of assignments are finished. One part is advancing antibody structure in immune algorithm, the other one is using protocol analysis technology and raising a kind of artificial immune intrusion detection system that is based on classification.
It is because of enormous data and variety attacking types, we must think about how to make antibody structure reflect network data's characteristics. In past research, antibody structure only included protocol, Ip address and port, thus, some attacks pointing to applied layers couldn't be found. At the mean time, experimental data in past research were artificial data, which was added few normal data in plenty of attacking data, then they verified their models, thus, the results had no persuasion. In antibody structure, besides variety protocol, Ip address, port, the author still adds some data with applied layer. Finally, she uses real network data in the experiment.
Artificial immune intrusion detection system is as the same as natural immune system, its main task is to differentiate self from nonself. Self means normal network system behavior, while nonself means abnormal behavior. Intrusion detection system based on network is differentiate self from nonself among huge network data. Protocol analysis technology can decode data and can examine theirs principles, thus it can discover attacks correctly. It is the reason that protocol analysis technology and immune principle are applied in intrusion detection system in this article. The intrusion detection system is mainly composed of memory cell model, mature cell model and immature cell model. Using protocol analysis handles data. It can improve the defects of past systems.
Biological immune system is still developing and the research of computer immune system is in the initial stages, therefore, the model this article advances needs to be improved. How to introduce more immune principles and how to improve detectable rate of system are the future researching.
引文
[1] Mandy Andress. Surviving Security: How to Integrate People, Process and technology[M]. Sams, an important Macmillan Computer Publishing U.S.A., 2001:51-152.
[2] J.P.Anderson. Computer Security Threat Monitoring and Surveillance[R]. Technical report. Fort Washington, Pennsylvania: Jmames P Anderson Company, 1980,4.
[3] D.Denning. An intrusion detection model[J]. IEEE Transactions on Software Engineering, 1987,13(2):222-232.
[4] Snapp.S.R.J.Brentano, G.V.Dias, T.L.Goan et al. DIDS(distributed Intrusion Detection System)-motivation, architecture, and an early prototype[C]. Proceedings of the 14th National Computer Security conference, 1991,10:167-176.
[5] Forrest S, Hofrneyr S, Somayaji. A.-Computer immunology[J]. Communications of the ACM, 1997, 40(10):88-96.
[6] 唐正军等.网络入侵检测系统的设计与实现[M].北京,电子工业出版社,2002,4:96-103.
[7] Azzedine Boukerche, Kathia Regina Lemos Juca, Joao Bosco Sobral et al. An artificial immune based intrusion detection model for computer and telecommunication systems[J]. Parallel Computing, 2004,30:629-646.
[8] Cannady J. Artificial neural network for misuse detection[C]. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98), 1998,10:443-456.
[9] LEE W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. USA: Columbia University, 1999.
[10] LEE W, STOLFO S J, CHAN P K, et al. Real Time Data Mining - based Intrusion Detection[C]. Proceedings of DISCEX Ⅱ, USA: June 2001.
[11] 张勇,冯玉才,李华阳.基于状态转换分析的多用户系统入侵检测模型[J].网络安全技术与应用,2003,4:52-54.
[12] CIDF working group, A Common Intrusion Detection Framework Architecture [DB/OL], http://www.gidos.org/, 1998.
[13] 莫宏伟.人工免疫系统原理与应用[M].哈尔滨工业大学出版社,2002.11.
[14] S Forrest, A S Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer[R]. Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, 1994.5.
[15] 李涛.计算机免疫学(第一版)[M].电子工业出版社,2004.
[16] Leandro N de Castro,Fernando J Von Zuben. Learning and Optimization Using the Clonal Selection Principle. IEEE Transaction On Evolution Computation, vol.6(3),2002.6.
[17] Jerne N K. Towards a Network Theory of the Immune System. Annual Immunology, vol.125c, 1974.
[18] Faemer J D, Packard N H, Perelson A S. The Immune System, Adaption, andMachineLearning. Physica, vol. 22d, 1986.
[20] R Deaton, M Garzon, J A Rose, R C Murphy, S Estevens, D R Franceschetti. DNA Based Artificial Immune System for Self-Nonself Discrimination. Proceedings of the 1997 IEEE International Conference on Systems, Orlando, Florida, 1978.8.
[21] Kim, Bentley. Immune Memory in the Dynamic Clonal Selection Algorithm. 1st International Conference on Artificial Immune Systems, University of Kent at Canterbury, UK, 2002.9.
[21] 李晓茹,孙敏.一种基于协议分析和免疫原理的入侵检测系统.电脑开发与应用,2007,20(7):21-25.
[22] S. Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security, Ph. D Dissertation, Albuquerque USA, The University of New Mexico, 1999.
[23] S. Hofmeyr and S. Forrest. Architecture for an Artificial Immune System. Evolutionary Computation, 1999, Vol.7(1):1289-1296.
[24] Richard Lippmann, Joshua W.Haines. The 1999 Darpa Off Line Intrusion Detection Evaluation. Computer Networks, 2000, 34(4): 579-595.
[2] J.P.Anderson. Computer Security Threat Monitoring and Surveillance[R]. Technical report. Fort Washington, Pennsylvania: Jmames P Anderson Company, 1980,4.
[3] D.Denning. An intrusion detection model[J]. IEEE Transactions on Software Engineering, 1987,13(2):222-232.
[4] Snapp.S.R.J.Brentano, G.V.Dias, T.L.Goan et al. DIDS(distributed Intrusion Detection System)-motivation, architecture, and an early prototype[C]. Proceedings of the 14th National Computer Security conference, 1991,10:167-176.
[5] Forrest S, Hofrneyr S, Somayaji. A.-Computer immunology[J]. Communications of the ACM, 1997, 40(10):88-96.
[6] 唐正军等.网络入侵检测系统的设计与实现[M].北京,电子工业出版社,2002,4:96-103.
[7] Azzedine Boukerche, Kathia Regina Lemos Juca, Joao Bosco Sobral et al. An artificial immune based intrusion detection model for computer and telecommunication systems[J]. Parallel Computing, 2004,30:629-646.
[8] Cannady J. Artificial neural network for misuse detection[C]. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98), 1998,10:443-456.
[9] LEE W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems[D]. USA: Columbia University, 1999.
[10] LEE W, STOLFO S J, CHAN P K, et al. Real Time Data Mining - based Intrusion Detection[C]. Proceedings of DISCEX Ⅱ, USA: June 2001.
[11] 张勇,冯玉才,李华阳.基于状态转换分析的多用户系统入侵检测模型[J].网络安全技术与应用,2003,4:52-54.
[12] CIDF working group, A Common Intrusion Detection Framework Architecture [DB/OL], http://www.gidos.org/, 1998.
[13] 莫宏伟.人工免疫系统原理与应用[M].哈尔滨工业大学出版社,2002.11.
[14] S Forrest, A S Perelson, L Allen, R Cherukuri. Self-Nonself Discrimination in a Computer[R]. Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, 1994.5.
[15] 李涛.计算机免疫学(第一版)[M].电子工业出版社,2004.
[16] Leandro N de Castro,Fernando J Von Zuben. Learning and Optimization Using the Clonal Selection Principle. IEEE Transaction On Evolution Computation, vol.6(3),2002.6.
[17] Jerne N K. Towards a Network Theory of the Immune System. Annual Immunology, vol.125c, 1974.
[18] Faemer J D, Packard N H, Perelson A S. The Immune System, Adaption, andMachineLearning. Physica, vol. 22d, 1986.
[20] R Deaton, M Garzon, J A Rose, R C Murphy, S Estevens, D R Franceschetti. DNA Based Artificial Immune System for Self-Nonself Discrimination. Proceedings of the 1997 IEEE International Conference on Systems, Orlando, Florida, 1978.8.
[21] Kim, Bentley. Immune Memory in the Dynamic Clonal Selection Algorithm. 1st International Conference on Artificial Immune Systems, University of Kent at Canterbury, UK, 2002.9.
[21] 李晓茹,孙敏.一种基于协议分析和免疫原理的入侵检测系统.电脑开发与应用,2007,20(7):21-25.
[22] S. Hofmeyr. An Immunological Model of Distributed Detection and Its Application to Computer Security, Ph. D Dissertation, Albuquerque USA, The University of New Mexico, 1999.
[23] S. Hofmeyr and S. Forrest. Architecture for an Artificial Immune System. Evolutionary Computation, 1999, Vol.7(1):1289-1296.
[24] Richard Lippmann, Joshua W.Haines. The 1999 Darpa Off Line Intrusion Detection Evaluation. Computer Networks, 2000, 34(4): 579-595.