混合式入侵检测系统中入侵检测分类器模型的研究与实现
|
摘要
入侵检测(ID)是一种动态的安全保护技术,它可以帮助解决防火墙、访问控制等传统保护机制不能解决的问题。但是常规的入侵检测在攻击检测中表现出自适应性不强、检测效率不高的问题。为了提高入侵检测的检测性能,学者们将免疫原理和数据挖掘中的技术应用到入侵检测中,产生了基于免疫原理的入侵检测和基于数据挖掘的入侵检测。
本文首先介绍了入侵检测的研究背景和发展历程,并介绍入侵检测系统(IDS)的概念、原理,比较不同入侵检测方法的优缺点。然后,分析了基于免疫原理的入侵检测技术和基于数据挖掘的入侵检测技术,分别深入地讨论了这两种技术中使用的权值树算法和决策树分类算法。在这个基础上,设计和实现了基于免疫原理的入侵检测分类器模型和基于数据挖掘的入侵检测分类器模型。前者采用权值树算法建立反映进程正常系统调用的权值树森林,通过权值树森林实现对进程异常行为的检测,该分类器可用于基于主机的异常入侵检测系统中;后者采用数据挖掘中的决策树算法,建立一棵反映入侵攻击特征的决策树,使用决策树包含的入侵识别规则实现对网络入侵的检测,该分类器模型可用于基于网络的误用入侵检测系统中;这两种模型都通过实验验证了它们在入侵检测方面的有效性。本文中设计的这两个分类器模型将用于混合式入侵检测系统,该混合式入侵检测系统将与同学实现的蜜罐系统、防火墙系统协同工作,组成一个相对完善的网络安全系统。
Intrusion Detection(ID) is a dynamic security protection technology, it can settle the issues which the traditional technologies such as firewall、access control couldn’t handle. But the conventional Intrusion Detection has the problem of being lack of adaptability and efficiency. In order to improve the detection ability of the ID, the specialists try to apply the knowledge of Immunological Principle and Data Mining into intrusion detection, and bring out ID base on Data Mining and ID base on Immunological Principle.
This thesis firstly introduces the background and development of the research of Intrusion Detection, details the concept and theory of Intrusion Detection System (IDS), and compares the advantage and disadvantage of each kind of detection technology. Then thesis analyses the technology of Intrusion Detection based on Immunological Principle and the technology of Intrusion Detection based on Data Mining, and thoroughly discusses the weight tree algorithm and decision tree algorithm used in these two kinds of technology. Based on above research, this thesis designs and implements an intrusion detection classifier model based on Immunological Principle and an intrusion detection classifier model based on Data Mining. The previous classifier model adopts the weight tree algorithm to build an weight tree forest which reflects the process’s normal system call behavior, then detects the process’s abnormal behavior according this weight tree forest, this classifier can be applied to host-based anomaly IDS; the latter classifier model adopts the decision tree algorithm to build an decision tree which reflects the intrusion attack’s character, then uses the intrusion detection regulation deriving from the decision tree to detect the intrusion on network, this classifier can be applied to network-based misuse IDS; the two models’validity on intrusion detection has been proved by experiment. In the thesis, the two classifier models will be applied to a hybrid intrusion detection system, which will communicate and collaborate with honeypot system and firewall system to constitute a perfect network security system.
本文首先介绍了入侵检测的研究背景和发展历程,并介绍入侵检测系统(IDS)的概念、原理,比较不同入侵检测方法的优缺点。然后,分析了基于免疫原理的入侵检测技术和基于数据挖掘的入侵检测技术,分别深入地讨论了这两种技术中使用的权值树算法和决策树分类算法。在这个基础上,设计和实现了基于免疫原理的入侵检测分类器模型和基于数据挖掘的入侵检测分类器模型。前者采用权值树算法建立反映进程正常系统调用的权值树森林,通过权值树森林实现对进程异常行为的检测,该分类器可用于基于主机的异常入侵检测系统中;后者采用数据挖掘中的决策树算法,建立一棵反映入侵攻击特征的决策树,使用决策树包含的入侵识别规则实现对网络入侵的检测,该分类器模型可用于基于网络的误用入侵检测系统中;这两种模型都通过实验验证了它们在入侵检测方面的有效性。本文中设计的这两个分类器模型将用于混合式入侵检测系统,该混合式入侵检测系统将与同学实现的蜜罐系统、防火墙系统协同工作,组成一个相对完善的网络安全系统。
Intrusion Detection(ID) is a dynamic security protection technology, it can settle the issues which the traditional technologies such as firewall、access control couldn’t handle. But the conventional Intrusion Detection has the problem of being lack of adaptability and efficiency. In order to improve the detection ability of the ID, the specialists try to apply the knowledge of Immunological Principle and Data Mining into intrusion detection, and bring out ID base on Data Mining and ID base on Immunological Principle.
This thesis firstly introduces the background and development of the research of Intrusion Detection, details the concept and theory of Intrusion Detection System (IDS), and compares the advantage and disadvantage of each kind of detection technology. Then thesis analyses the technology of Intrusion Detection based on Immunological Principle and the technology of Intrusion Detection based on Data Mining, and thoroughly discusses the weight tree algorithm and decision tree algorithm used in these two kinds of technology. Based on above research, this thesis designs and implements an intrusion detection classifier model based on Immunological Principle and an intrusion detection classifier model based on Data Mining. The previous classifier model adopts the weight tree algorithm to build an weight tree forest which reflects the process’s normal system call behavior, then detects the process’s abnormal behavior according this weight tree forest, this classifier can be applied to host-based anomaly IDS; the latter classifier model adopts the decision tree algorithm to build an decision tree which reflects the intrusion attack’s character, then uses the intrusion detection regulation deriving from the decision tree to detect the intrusion on network, this classifier can be applied to network-based misuse IDS; the two models’validity on intrusion detection has been proved by experiment. In the thesis, the two classifier models will be applied to a hybrid intrusion detection system, which will communicate and collaborate with honeypot system and firewall system to constitute a perfect network security system.
引文
[1] 罗守山,入侵检测,北京,北京邮电大学出版社,2004:18~19。
[2] 唐正军,李建华,入侵检测技术,北京,清华大学出版社,2004:1~9。
[3] 唐正军,入侵检测技术导论,北京,机械工业出版社,2004:13~135。
[4] 蒋建春,冯登国,网络入侵检测原理与技术,北京,国防工业出版社,2001:25~27。
[5] 鲁杰,基于主机的入侵检测方法的研究,[硕士学位论文],北京,北京工业大学,2005。
[6] Jungwon Kim,Peter Bentley,The Human Immune System and Network Intrusion Detection[A] , 7th European Congress on Intelligent Techniques and Soft Computing(EUFTT'99)[C],Acbien,Germany, September,1999:13~19。
[7] Steven A. Hofmeyr,Stephanie Forrest,Architecture for an Artificial Immune System,Evolutionary Computation,2000,8(4):443~473。
[8] 陈晓华,基于免疫原理的系统级入侵检测方法研究,[硕士学位论文],成都,四川大学,2004。
[9] Toyoo Fukuda,Kazuyuki Mori,Makoto Tsukiyama,Parallel Search for Multi-modal Function Optimization with Diversity and Learning of Immune Algorithms,In Dipankar Dasgupta Ed,Artificial Immune Systems and Their Applications,New York,1998:210~220。
[10] 朱毅,基于免疫原理的 IDS 模型研究,[硕士学位论文],郑州,郑州大学,2006。
[11] Stephanie Forrest,Alan S. Perelson,Lawrence Allen,et a1,Self-nonself Discrimination in a computer[C],In proceeding of the 1994 IEEE sysposium on research in Security and Privacy,Los Alamos,CA,IEEE Computer Society Press,1994:202~212。
[12] Stephanie Forrest,Steven A. Hofmeyr,Anil Somayaji,Computer Immunology[J],Communication of the ACM,1997,40(10):88~96。
[13] Christina Warrender,Stephanie Forrest,Barak A. Pearlmutter,Detecting Intrusions Using System Calls:Alternative Data Models,In the 1999 IEEE Symposium on Security and Privacy,1999:133~145。
[14] Steven A. Hofmeyr,Stephanie Forrest,Anil Somayaji,Intrusion Detection using Sequences of System calls,Journal of Computer Security,1998,6(3):151~180。
[15] Stephanie Forrest,Alan S. Perelson,Lawrence Allen,Self-Nonself Discrimination in a Computer[J],Proceedings of the IEEE Symposium on Research in Security and Privacy,IEEEComputer Society Press,Los Alamos,CA,1994:202~212。
[16] Stephanie Forrest,Steven A. Hofmeyr,Anil Somayaji,A Sense of Self for Unix Processes[J],Proceedings of the IEEE Symposium on Security and Privacy,IEEE Computer Society Press,Los Alamitos,CA,1996:120~128。
[17] William W. Cohen,Fast Effective Rule Induction,In Proceedings of the 12th International Conference on Machine Learning,Lake Tahoe,California,1995:115~123。
[18] William W. Cohen , Yoram Singer , Context-Sensitive Learning Methods for Text Categorization,19th the ACM International Conference on Research and Development in Information Retrieval,1996,307~315。
[19] Wenke Lee,Salvatore J. Stolfo,Philip K. Chan,Learning Patterns from Unix Process Execution Traces for Intrusion Detection,In Proceedings of AAAI97 Workshop on AI methods in Fraud and risk management,1997。
[20] 潘峰,欧阳明光,汪为农,利用系统调用序列检测入侵的一种新方法,上海交通大学学报,2004,38(1):26~29。
[21] 潘峰、蒋俊杰、汪为农,异常检测中正常行为规则性的度量,计算机研究与发展,2005,42(8):1415~1421。
[22] Mohammed J. Zaki,Efficiently Mining Frequent Trees in a Forest,8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining,July 2002。
[23] http://www.cs.unm.edu/~immsec/systemcalls.htm,新墨西哥大学计算机科学系计算机免疫系统。
[24] 邵峰晶,于忠清,数据挖掘原理与算法,北京,中国水利水电出版社,2003:2~14。
[25] 王保平,数据挖掘在入侵检测中的应用研究,[硕士学位论文],贵州,贵州大学,2006。
[26] 戴英侠,连一峰,王航,系统安全与入侵检测,北京,清华大学出版社,2002:107~137。
[27] Jiawei Han,Micheline Kamber,数据挖掘概念与技术(范明 孟小峰等译),北京,机械工业出版社,2005:149~222。
[28] 牛建强,曹大元,阎慧,基于数据挖掘的 CIDF 协同交换,计算机工程,2003 年,29(14):35~36。
[29] Wenke Lee,A Data Mining Framework for Constructing Features Intrusion Detection Systems [PhD Dissertation],Columbia University, USA and Models for 1999。
[30] Wenke Lee,Salvatore J. Stolfo,Philip K. Chan,et al,Real Time Data Mining-based Intrusion Detection,In Proceedings of DISCEX II,IEEE Computer Society,California,June 2001:85~100。
[31] 高志森,张铮,李俊,入侵检测中贝叶斯分类器改进的研究,计算机技术与发展,2006年,16(11):154~155。
[32] 陈建国,杨英杰,马范援,DMIDS: 应用数据挖掘技术的网络入侵检测系统实现,计算机工程,2003,29(14):120~121。
[33] 宋劲松,网络入侵检测-分析、发现和报告攻击,北京,国防工业出版社,2004:41~48。
[34] 张铮,高志森,李俊,改进贝叶斯分类算法在入侵检测中的研究,计算机技术与发展,已录用。
[35] J. Ross Quinlan,C4.5: Programs for Machine Learning,Morgan Kaufmann,Morgan Kaufmann Publishers Inc,1993:1~302。
[36] J. Ross Quinlan,Improved use of Continuous Attributes in C4.5, Journal of Artificial Intelligence Research,4,1996:77~90。
[37] Johannes Fürnkranz,A Tight Integration of Pruning and Learning,European Conference on Machine Learning,1995:291-294。
[38] Johannes Fürnkranz,Gerhard Widmer,Incremental Reduced Error Pruning,Proceedings the Eleventh International Conference on Machine Learning,1994,70~77。
[39] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, KDD Cup 1999 Data。
[40] http://www.ll.mit.edu/IST/ideval/data/data_index.html,Lincoln 实验室 DARPA 实验数据。
[41] 张琨,徐永红,王珩,等,用于入侵检测的贝叶斯网络,小型微型计算机系统,2003,24(5):913~915。
[2] 唐正军,李建华,入侵检测技术,北京,清华大学出版社,2004:1~9。
[3] 唐正军,入侵检测技术导论,北京,机械工业出版社,2004:13~135。
[4] 蒋建春,冯登国,网络入侵检测原理与技术,北京,国防工业出版社,2001:25~27。
[5] 鲁杰,基于主机的入侵检测方法的研究,[硕士学位论文],北京,北京工业大学,2005。
[6] Jungwon Kim,Peter Bentley,The Human Immune System and Network Intrusion Detection[A] , 7th European Congress on Intelligent Techniques and Soft Computing(EUFTT'99)[C],Acbien,Germany, September,1999:13~19。
[7] Steven A. Hofmeyr,Stephanie Forrest,Architecture for an Artificial Immune System,Evolutionary Computation,2000,8(4):443~473。
[8] 陈晓华,基于免疫原理的系统级入侵检测方法研究,[硕士学位论文],成都,四川大学,2004。
[9] Toyoo Fukuda,Kazuyuki Mori,Makoto Tsukiyama,Parallel Search for Multi-modal Function Optimization with Diversity and Learning of Immune Algorithms,In Dipankar Dasgupta Ed,Artificial Immune Systems and Their Applications,New York,1998:210~220。
[10] 朱毅,基于免疫原理的 IDS 模型研究,[硕士学位论文],郑州,郑州大学,2006。
[11] Stephanie Forrest,Alan S. Perelson,Lawrence Allen,et a1,Self-nonself Discrimination in a computer[C],In proceeding of the 1994 IEEE sysposium on research in Security and Privacy,Los Alamos,CA,IEEE Computer Society Press,1994:202~212。
[12] Stephanie Forrest,Steven A. Hofmeyr,Anil Somayaji,Computer Immunology[J],Communication of the ACM,1997,40(10):88~96。
[13] Christina Warrender,Stephanie Forrest,Barak A. Pearlmutter,Detecting Intrusions Using System Calls:Alternative Data Models,In the 1999 IEEE Symposium on Security and Privacy,1999:133~145。
[14] Steven A. Hofmeyr,Stephanie Forrest,Anil Somayaji,Intrusion Detection using Sequences of System calls,Journal of Computer Security,1998,6(3):151~180。
[15] Stephanie Forrest,Alan S. Perelson,Lawrence Allen,Self-Nonself Discrimination in a Computer[J],Proceedings of the IEEE Symposium on Research in Security and Privacy,IEEEComputer Society Press,Los Alamos,CA,1994:202~212。
[16] Stephanie Forrest,Steven A. Hofmeyr,Anil Somayaji,A Sense of Self for Unix Processes[J],Proceedings of the IEEE Symposium on Security and Privacy,IEEE Computer Society Press,Los Alamitos,CA,1996:120~128。
[17] William W. Cohen,Fast Effective Rule Induction,In Proceedings of the 12th International Conference on Machine Learning,Lake Tahoe,California,1995:115~123。
[18] William W. Cohen , Yoram Singer , Context-Sensitive Learning Methods for Text Categorization,19th the ACM International Conference on Research and Development in Information Retrieval,1996,307~315。
[19] Wenke Lee,Salvatore J. Stolfo,Philip K. Chan,Learning Patterns from Unix Process Execution Traces for Intrusion Detection,In Proceedings of AAAI97 Workshop on AI methods in Fraud and risk management,1997。
[20] 潘峰,欧阳明光,汪为农,利用系统调用序列检测入侵的一种新方法,上海交通大学学报,2004,38(1):26~29。
[21] 潘峰、蒋俊杰、汪为农,异常检测中正常行为规则性的度量,计算机研究与发展,2005,42(8):1415~1421。
[22] Mohammed J. Zaki,Efficiently Mining Frequent Trees in a Forest,8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining,July 2002。
[23] http://www.cs.unm.edu/~immsec/systemcalls.htm,新墨西哥大学计算机科学系计算机免疫系统。
[24] 邵峰晶,于忠清,数据挖掘原理与算法,北京,中国水利水电出版社,2003:2~14。
[25] 王保平,数据挖掘在入侵检测中的应用研究,[硕士学位论文],贵州,贵州大学,2006。
[26] 戴英侠,连一峰,王航,系统安全与入侵检测,北京,清华大学出版社,2002:107~137。
[27] Jiawei Han,Micheline Kamber,数据挖掘概念与技术(范明 孟小峰等译),北京,机械工业出版社,2005:149~222。
[28] 牛建强,曹大元,阎慧,基于数据挖掘的 CIDF 协同交换,计算机工程,2003 年,29(14):35~36。
[29] Wenke Lee,A Data Mining Framework for Constructing Features Intrusion Detection Systems [PhD Dissertation],Columbia University, USA and Models for 1999。
[30] Wenke Lee,Salvatore J. Stolfo,Philip K. Chan,et al,Real Time Data Mining-based Intrusion Detection,In Proceedings of DISCEX II,IEEE Computer Society,California,June 2001:85~100。
[31] 高志森,张铮,李俊,入侵检测中贝叶斯分类器改进的研究,计算机技术与发展,2006年,16(11):154~155。
[32] 陈建国,杨英杰,马范援,DMIDS: 应用数据挖掘技术的网络入侵检测系统实现,计算机工程,2003,29(14):120~121。
[33] 宋劲松,网络入侵检测-分析、发现和报告攻击,北京,国防工业出版社,2004:41~48。
[34] 张铮,高志森,李俊,改进贝叶斯分类算法在入侵检测中的研究,计算机技术与发展,已录用。
[35] J. Ross Quinlan,C4.5: Programs for Machine Learning,Morgan Kaufmann,Morgan Kaufmann Publishers Inc,1993:1~302。
[36] J. Ross Quinlan,Improved use of Continuous Attributes in C4.5, Journal of Artificial Intelligence Research,4,1996:77~90。
[37] Johannes Fürnkranz,A Tight Integration of Pruning and Learning,European Conference on Machine Learning,1995:291-294。
[38] Johannes Fürnkranz,Gerhard Widmer,Incremental Reduced Error Pruning,Proceedings the Eleventh International Conference on Machine Learning,1994,70~77。
[39] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, KDD Cup 1999 Data。
[40] http://www.ll.mit.edu/IST/ideval/data/data_index.html,Lincoln 实验室 DARPA 实验数据。
[41] 张琨,徐永红,王珩,等,用于入侵检测的贝叶斯网络,小型微型计算机系统,2003,24(5):913~915。