基于聚类和协议分析的入侵检测系统的研究与设计
|
摘要
在网络安全问题日益突出的今天,如何迅速而有效地利用基于数据挖掘的入侵检测系统发现各种入侵行为,对于保证系统和网络资源的安全十分重要。以聚类为代表的无监督异常检测方法可以在无标记数据集上发现异常数据,克服了传统数据挖掘方法的缺陷,使标记数据集和入侵检测建模过程自动化,成为了入侵检测的有力工具。但是数据挖掘技术具有滞后性,无法实时地对入侵行为做出判断,而实时性却又是入侵检测技术所强调的,因此如何提高检测效率是基于数据挖掘技术的入侵检测系统所必须解决的一个问题。
为了提高聚类算法的效率,根据数据包具有高度的协议规则性的特点,本文提出了一种新的入侵检测系统的设计,将协议分析技术融合到聚类数据挖掘中。通过数据清洗和协议分析不但可以更加快速地检测出入侵行为,有效减少聚类挖掘的数据量,而且可以让挖掘数据更加符合聚类数据挖掘的先决条件。另外,针对聚类挖掘的技术的改良,也使得聚类数据挖掘的检测率与误警率有了一定程度的改善。
本文的研究不仅是一种可供参考的网络安全解决方案,而且更是对入侵检测技术发展的一种新的探索。相信随着研究的不断深入,这种复合型的检测技术必将变得更加完善,其应用前景也必将更加广阔。
With the severity of the network security problem, how to use the data mining-based intrusion detection system to find intrusion activities efficiently and quickly has become important to the security of system and network resource. Unsupervised anomaly detection methods can detect the anomaly records in unlabled dataset. It can overcome the shortcoming of the traditional data mining methods, and automate the labeling and creating process of the intrusion detection model. It has become the useful tool of the intrusion detection. Clustering is the representation of unsupervised anomaly detection methods. But the data mining-based technique has it shortcoming of the real time detection which is an important part in the intrusion detection, because it can not judge whether the action is normal or not. So how to improve the detection efficiency of the data mining-based intrusion detection system is the most important thing.
Because of the altitudinal regularity of the network protocol of the data package, a new intrusion detection system is suggested, in order to improve the efficiency. The protocol analysis technique is suggested to be attached to the Clustering data mining system. On the one hand, it can take out the illegal data efficiently and reduce the amount of data set which is to be clustered, on the other hand, it can make the data set measure up the hypothesis of the Clustering data mining technique. In the new intrusion diction system, the Clustering technique is also improved, and it makes the work more efficient.
The research of the new intrusion detection system is not only to propose a network security resolvent, but also to take an exploration of the development of intrusion detection technique. With the continue
为了提高聚类算法的效率,根据数据包具有高度的协议规则性的特点,本文提出了一种新的入侵检测系统的设计,将协议分析技术融合到聚类数据挖掘中。通过数据清洗和协议分析不但可以更加快速地检测出入侵行为,有效减少聚类挖掘的数据量,而且可以让挖掘数据更加符合聚类数据挖掘的先决条件。另外,针对聚类挖掘的技术的改良,也使得聚类数据挖掘的检测率与误警率有了一定程度的改善。
本文的研究不仅是一种可供参考的网络安全解决方案,而且更是对入侵检测技术发展的一种新的探索。相信随着研究的不断深入,这种复合型的检测技术必将变得更加完善,其应用前景也必将更加广阔。
With the severity of the network security problem, how to use the data mining-based intrusion detection system to find intrusion activities efficiently and quickly has become important to the security of system and network resource. Unsupervised anomaly detection methods can detect the anomaly records in unlabled dataset. It can overcome the shortcoming of the traditional data mining methods, and automate the labeling and creating process of the intrusion detection model. It has become the useful tool of the intrusion detection. Clustering is the representation of unsupervised anomaly detection methods. But the data mining-based technique has it shortcoming of the real time detection which is an important part in the intrusion detection, because it can not judge whether the action is normal or not. So how to improve the detection efficiency of the data mining-based intrusion detection system is the most important thing.
Because of the altitudinal regularity of the network protocol of the data package, a new intrusion detection system is suggested, in order to improve the efficiency. The protocol analysis technique is suggested to be attached to the Clustering data mining system. On the one hand, it can take out the illegal data efficiently and reduce the amount of data set which is to be clustered, on the other hand, it can make the data set measure up the hypothesis of the Clustering data mining technique. In the new intrusion diction system, the Clustering technique is also improved, and it makes the work more efficient.
The research of the new intrusion detection system is not only to propose a network security resolvent, but also to take an exploration of the development of intrusion detection technique. With the continue
引文
[1].CNCERT/CC,《2005年网络安全工作报告》,http://www.cert.org.cn/,2006.02
[2].瑞星公司,《中国大陆地区2005年电脑病毒疫情和安全趋势报告》,http://www.rising.com.cn
[3]. Anderson J P. Computer security thread mosurveillance[R]. FortWashington, PA:Jame P Anderson co, 1980.
[4]. Dorothy. E. Denning. An Intrusion Detection Model. IEEE Symposium on Security and Privacy. 1986.118~131.
[5]. Vigna G, Kemmerer R A, NetSTAT: A Network-based Intrusion Detection System[J], Journal of Computer Security, 1990.7(1)
[6].唐正军.入侵检测技术导论.机械工业出版社,2004.
[7].李鸿培,王新梅.基于神经网络的入侵检测系统模型[J].西安电子科技大学学报,1999.10:pp 667-670.
[8]. John Marin, Daniel Ragsdale, John Surdu. A Hybrid Approach to Profile Creation and Intrusion Detection [C]. DARPA Information Survivability Conference & Exposition Ⅱ, 2001. DISCEX '01. Proceedings.
[9]. Anup K. Ghosh, Aaron Schwartzbard, Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection [C], Proceedings of the Workshop on Intrusion Detection and Network Monitoring Santa Clara, California, USA, 1999.4: pp 9-12.
[10]. Susan C. Lee, David V. Heinbuch, Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks[C], Proc. of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 2000. 6: pp 6-7.
[11].戴志锋,何军.一种基于主机分布式安全扫描的计算机免疫系统模型[J].计算机应用,2001.10:pp 24-29.
[12].陈瑾,罗敏,张焕国.入侵检测技术概述,计算机工程与应用[J].2004.2: pp 133-136.
[13].蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):pp 1460-1466.
[14]. Leonid Portnoy, Eleazar Eskin and Salvatore J Stolfo. Intrusiondetection with Unlabeled Data Using Clustering. Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001). Philadelphia, PA: November2001,5-8
[15]. http://www.11.mit.edu/IST/ideaval
[16]. Leonard Kaufman, et. al. Finding Groups in Data-An Introduction to Cluster Analysis, Probabillity and Mathematical Satistics, 1990(2): pp 135-155
[17]. Kaufman L, Rousseeuw PJ. Finding groups in data: An Introduction to cluster analysis. New York. John Wiley & Sons. 1990.
[18]. Jain AK, Dubes R. Algorithms for clustering data. Prentice-Hall. Englewood Cliffs. NJ. 1988.
[19].罗敏,王丽娜,张焕国.基于无监督聚类的入侵检测方法.电子学报.2003,31(11):pp 1713-1716.
[20]. KDD99. KDD99 cup dataset[DB/OL].http://kdd.ics.uci.edu/databases/kddcup99, 1999.
[21].寺田真敏,萱岛信.TCP/IP网络安全篇.科学出版社,2003.
[22].[美]W.Richard Stevens著,范建华,胥光辉,张涛等译.TCP/IP详解 卷1:协议.北京:机械工业出版社.2003.1~360.
[23]. http://www.snort.org/
[24].苏珊.硕士论文《面向入侵检测的聚类算法研究》.华中科技大学.2004.5
[2].瑞星公司,《中国大陆地区2005年电脑病毒疫情和安全趋势报告》,http://www.rising.com.cn
[3]. Anderson J P. Computer security thread mosurveillance[R]. FortWashington, PA:Jame P Anderson co, 1980.
[4]. Dorothy. E. Denning. An Intrusion Detection Model. IEEE Symposium on Security and Privacy. 1986.118~131.
[5]. Vigna G, Kemmerer R A, NetSTAT: A Network-based Intrusion Detection System[J], Journal of Computer Security, 1990.7(1)
[6].唐正军.入侵检测技术导论.机械工业出版社,2004.
[7].李鸿培,王新梅.基于神经网络的入侵检测系统模型[J].西安电子科技大学学报,1999.10:pp 667-670.
[8]. John Marin, Daniel Ragsdale, John Surdu. A Hybrid Approach to Profile Creation and Intrusion Detection [C]. DARPA Information Survivability Conference & Exposition Ⅱ, 2001. DISCEX '01. Proceedings.
[9]. Anup K. Ghosh, Aaron Schwartzbard, Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection [C], Proceedings of the Workshop on Intrusion Detection and Network Monitoring Santa Clara, California, USA, 1999.4: pp 9-12.
[10]. Susan C. Lee, David V. Heinbuch, Training a Neural-Network Based Intrusion Detector to Recognize Novel Attacks[C], Proc. of the 2000 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 2000. 6: pp 6-7.
[11].戴志锋,何军.一种基于主机分布式安全扫描的计算机免疫系统模型[J].计算机应用,2001.10:pp 24-29.
[12].陈瑾,罗敏,张焕国.入侵检测技术概述,计算机工程与应用[J].2004.2: pp 133-136.
[13].蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2000,11(11):pp 1460-1466.
[14]. Leonid Portnoy, Eleazar Eskin and Salvatore J Stolfo. Intrusiondetection with Unlabeled Data Using Clustering. Proceedings of ACM CSS Workshop on Data Mining Applied to Security (DMSA-2001). Philadelphia, PA: November2001,5-8
[15]. http://www.11.mit.edu/IST/ideaval
[16]. Leonard Kaufman, et. al. Finding Groups in Data-An Introduction to Cluster Analysis, Probabillity and Mathematical Satistics, 1990(2): pp 135-155
[17]. Kaufman L, Rousseeuw PJ. Finding groups in data: An Introduction to cluster analysis. New York. John Wiley & Sons. 1990.
[18]. Jain AK, Dubes R. Algorithms for clustering data. Prentice-Hall. Englewood Cliffs. NJ. 1988.
[19].罗敏,王丽娜,张焕国.基于无监督聚类的入侵检测方法.电子学报.2003,31(11):pp 1713-1716.
[20]. KDD99. KDD99 cup dataset[DB/OL].http://kdd.ics.uci.edu/databases/kddcup99, 1999.
[21].寺田真敏,萱岛信.TCP/IP网络安全篇.科学出版社,2003.
[22].[美]W.Richard Stevens著,范建华,胥光辉,张涛等译.TCP/IP详解 卷1:协议.北京:机械工业出版社.2003.1~360.
[23]. http://www.snort.org/
[24].苏珊.硕士论文《面向入侵检测的聚类算法研究》.华中科技大学.2004.5