基于关联规则挖掘的数据库入侵检测系统研究
|
摘要
本文首先对数据库安全进行了研究,然后综述了数据库入侵检测的相关技术,最后针对目前数据库安全系统的特点,分析了传统数据库安全机制的弱点与不足,结合数据挖掘技术、入侵检测技术进行了数据库入侵检测的相关研究,设计并实现了一个基于关联规则挖掘的数据库入侵检测原型系统。
为提高关联规则的挖掘效率,本文提出了一个基于频繁项集矩阵FM与互斥项目约束的Apriori改进算法。该算法对Apriori算法的两个性能瓶颈都作了改进,采用频繁项集矩阵可以避免生成候选k-项集,利用逻辑与运算直接产生频繁k-项集,从而大大减少了计算量和对事务数据库的扫描次数;采用互斥项目约束可以在连接中阻止互斥项目的连接,从而大大减少了无用频繁项集的产生,提高了关联规则挖掘的效率。该算法主要用于异常检测中用户正常行为规则和当前行为规则的挖掘。
本文设计的数据库入侵检测原型系统整体上可分为数据采集、规则生成、入侵检测和响应四个模块:数据采集模块利用Oracle的审计功能获取审计数据,实现数据采集;规则生成模块利用本文提出的基于频繁项集矩阵FM与互斥项目约束的Apriori改进算法进行用户正常行为规则和用户当前行为规则的提取;入侵检测模块结合误用检测与异常检测的特点,先进行误用检测后进行异常检测,降低了漏检率和误检率,同时异常检测引入了滑动窗口的概念,采用关联规则挖掘方式,能够实时检测入侵,提高了入侵检测的效率与实时性;响应模块记录检测结果中的异常和入侵信息,向管理员报警。
最后对该原型系统进行了测试,并给出了实验结果分析。
The article first studies the Database Security,then introduces the related technology of the Database Intrusion Detection. At last, it analyses the shortages of the traditional Database Security mechanisms according to the features of the present Database Security System. And it studies the related Database Intrusion Detection System by combining Data Mining with Intrusion Detection technology. It has designed and realized an prototype system of the Database Intrusion Detection based on Association Rules mining.
In order to improve the mining efficiency of Association Rules, the article brings up an advanced algorithm of Apriori based on the Frequent Itemsets Matrix FM and constraint of incompatible-item.This algorithm has improved the performance bottleneck. Using Frequent Itemsets Matrix can avoid producing candidate k-itemsets. And using "logical AND" operation can directly produce frequent k-itemsets and mostly reduce the calculating works and scanning times to the transactional databases.Using the constraint of incompatible-item can stop the connection in the linking step and largely reduces the production of unwanted frequent itemsets.This has improved the efficiency of the association rules mining.This algorithm is mainly used in mining the user's normal behavior rules and the user's current behavior rules.
The prototype system of Database Intrusion Detection designed by the article can be wholly divided into the four models of Data acquisition, rule generation, Intrusion detection and Responsing.The model of Data acquisition uses Oracle's auditing function to get data and realize the Data acquisition. The model of rules generation generates the user's normal behavior rules and the current behavior rules. The model of Intrusion Detection combines the features of Misuse Detection and Anomaly Detection. First it takes Misuse Detection and then Anomaly Detection, this reduces the rate of lost detection and the rate of error detection. At the same time the Anomaly Detection introduces the concept of Sliding Window and uses the Association Rule mining measures. This can detect the instrusion in time and improved the efficiency and real-time. The response model records the abnormal and intrusion information in the detection results and warned it to the administrator.
At last it tests the prototype system and offers the analyses of the results of the experiment.
为提高关联规则的挖掘效率,本文提出了一个基于频繁项集矩阵FM与互斥项目约束的Apriori改进算法。该算法对Apriori算法的两个性能瓶颈都作了改进,采用频繁项集矩阵可以避免生成候选k-项集,利用逻辑与运算直接产生频繁k-项集,从而大大减少了计算量和对事务数据库的扫描次数;采用互斥项目约束可以在连接中阻止互斥项目的连接,从而大大减少了无用频繁项集的产生,提高了关联规则挖掘的效率。该算法主要用于异常检测中用户正常行为规则和当前行为规则的挖掘。
本文设计的数据库入侵检测原型系统整体上可分为数据采集、规则生成、入侵检测和响应四个模块:数据采集模块利用Oracle的审计功能获取审计数据,实现数据采集;规则生成模块利用本文提出的基于频繁项集矩阵FM与互斥项目约束的Apriori改进算法进行用户正常行为规则和用户当前行为规则的提取;入侵检测模块结合误用检测与异常检测的特点,先进行误用检测后进行异常检测,降低了漏检率和误检率,同时异常检测引入了滑动窗口的概念,采用关联规则挖掘方式,能够实时检测入侵,提高了入侵检测的效率与实时性;响应模块记录检测结果中的异常和入侵信息,向管理员报警。
最后对该原型系统进行了测试,并给出了实验结果分析。
The article first studies the Database Security,then introduces the related technology of the Database Intrusion Detection. At last, it analyses the shortages of the traditional Database Security mechanisms according to the features of the present Database Security System. And it studies the related Database Intrusion Detection System by combining Data Mining with Intrusion Detection technology. It has designed and realized an prototype system of the Database Intrusion Detection based on Association Rules mining.
In order to improve the mining efficiency of Association Rules, the article brings up an advanced algorithm of Apriori based on the Frequent Itemsets Matrix FM and constraint of incompatible-item.This algorithm has improved the performance bottleneck. Using Frequent Itemsets Matrix can avoid producing candidate k-itemsets. And using "logical AND" operation can directly produce frequent k-itemsets and mostly reduce the calculating works and scanning times to the transactional databases.Using the constraint of incompatible-item can stop the connection in the linking step and largely reduces the production of unwanted frequent itemsets.This has improved the efficiency of the association rules mining.This algorithm is mainly used in mining the user's normal behavior rules and the user's current behavior rules.
The prototype system of Database Intrusion Detection designed by the article can be wholly divided into the four models of Data acquisition, rule generation, Intrusion detection and Responsing.The model of Data acquisition uses Oracle's auditing function to get data and realize the Data acquisition. The model of rules generation generates the user's normal behavior rules and the current behavior rules. The model of Intrusion Detection combines the features of Misuse Detection and Anomaly Detection. First it takes Misuse Detection and then Anomaly Detection, this reduces the rate of lost detection and the rate of error detection. At the same time the Anomaly Detection introduces the concept of Sliding Window and uses the Association Rule mining measures. This can detect the instrusion in time and improved the efficiency and real-time. The response model records the abnormal and intrusion information in the detection results and warned it to the administrator.
At last it tests the prototype system and offers the analyses of the results of the experiment.
引文
[1]钟勇,秦小麟.数据库入侵检测研究综述.计算机科学,2004,31(10):15~17
[2]Symantec's Internet Security Threat Report Vol.14
[3]T.F.Lunt, A survey of intrusion detection techniques. Computers & Security, 1993,12(4):405~418
[4]蔡敏,叶震.一种数据库入侵检测模型的设计.合肥工业大学学报(自然科学版),2008,31(4):537~540
[5]McDermott J, Goldschlag D. Storage jamming. D. Spooner; S. Demurjian;J. Dobson, eds. Database Security Ⅸ:Status and Prospects. London:Chapman & Hall,1996:365~381
[6]Chung C Y. Gertz M. Levitt K, DEMIDS:A Misuse Detection System for Database System, In:The Third Annual IFIP TC-11 WG 11.5 Working Conf.On Integrity and Internal Control in Information Systems, Amsterdam. Netherlands, 1999:159~178
[7]http://www.appsecinc.com:White Paper Security Auditing about AppRadar
[8]郭晓淳.数据库入侵检测系统DBIDS的设计与实现:[硕士学位论文].沈阳:东北大学,2002
[9]钟勇,秦小麟,包磊.基于用户查询模式的挖掘算法及其在入侵检测中的应用.应用科学学报,2005,9(5):506~512
[10]http://tech.sina.com.cn/roll/2007-11-30/1102505024.shtml
[11]王杰.高安全数据库管理系统保护技术的研究和实现:[硕士学位论文].南京:南京航空航天大学,2006
[12]王静.数据库安全增强系统模型的研究:[硕士学位论文].北京:北京化工大学,2006
[13]陈国渭.数据库身份认证系统研究:[硕士学位论文].武汉:华中科技大学,2006
[14]National Computer Security Center. Trused Database Management System Interpretation of the TCSEC.NCSC-TG-021,1991
[15]国家质量监督局,1999,GB17859—1999计算机信息系统安全保护等级划分准则
[16]岳晓淑.数据库安全性研究及实现:[硕士学位论文].大连:大连海事大学,2005
[17]赵宝献,秦小麟.数据库访问控制研究综述.计算机科学,2005,32(1):88~91
[18]袁晓东,冯颖.B1级数据库管理系统强制存取控制模型研究.计算机学报,2000,23(10):1096~1101
[19]徐龙琴,刘双印,沈玉利.数据库安全控制的研究.计算机应用与软件,2009,26(5):138~140
[20]黄志国.数据库安全审计的研究:[硕士学位论文].太原:中北大学,2006
[21]萧萍.一种安全的数据库体系结构.计算机安全,2008.11:65~67
[22]王湘渝,刘豪.SQL注入攻击及其防范技术研究.网络安全技术与应用,2009,9:62~63
[23]Yi Hu, Brajendra Panda. A Data Mining Approach for Database Intrusion Detection. Proceeding of the 2004 ACM Symposium on Applied Computing. Nicosia, Cyprus:2004,11(2):711-716
[24]朱岸青,张昌城.基于数据挖掘的网络入侵检测技术研究.计算机工程与设计,2008,29(2):318~322
[25]Axelsson S, Intrusion Detection Systems:A Survey and Taxonomy, Dept of Computer Engineering. Chalmers University of Technology, Goteborg. Sweden: [Technical Report 99-15],2000
[26]W. Lee. S. J. Stolfo. Data mining approaches for intrusion detection, In Proceedings of 7" USENiX Security symposium[J]. San Antonio, TX,2004, (8)
[27]Yi Hu and Panda. B. Identification of malicious transactions in database systems. Proceedings International Database Engineering and Applications Sysposium,2003:329-335
[28]张军,杨帆.数据挖掘技术在入侵检测系统中的应用现状及展望.河南农业大学学报,2006,40(4):445~448
[29]Frans David,王建新,王斌.基于异常和特征的入侵检测系统模型.计算机技术与自动化,2004,23(3):19~22
[30]李晓蕊.数据库入侵检测技术的研究:[硕士学位论文].北京:北京理工大学,2008
[31]邝祝芳.数据库入侵检测系统GKD-DBIDS的研究与实现:[硕士学位论文].长沙:国防科技大学,2006
[32]卢云彬.基于关联规则改进算法的数据库入侵检测系统研究:[硕士学位论文].武汉:华中科技大学,2007
[33]李榕.一种应用级数据库入侵检测方法及其应用研究:[硕士学位论文].苏州:苏州大学,2009
[34]石正喜.基于入侵检测的数据挖掘应用研究.科技情报开发与经济,2005, 15(13):244~246
[35]覃丽萍.关联规则算法的改进及其应用研究:[硕士学位论文].北京:首都师范大学,2009
[36]R.Agarwal,T.Imielinski,A.Swami.Mining association rules between sets of items in large databases. In Proceedings ACM SIGMOD International Conference on Management of Data,Washington,D.C,1993:207~216
[37]Shafer JC,Agrawal R,Mehta M.SPRINT:A Scalable Parallel Classifier for Data Mining. In Proceedings of the 22th International Conference on Very Large Databases. Morgan Kaufmann. Indea,1996,544~555
[38]肖敏,韩继军,肖德宝等.基于聚类的入侵检测研究综述.计算机应用,2008,28(6):34~38
[39]Jiawei Han, Jian Pei, Xiwen Yin et al. Mining Frequent Patterns Without Candidate Eneration:A Frenquent-pattern Tree Approach, Data Mining and Knowledge Discovery,2004,8(1):53~87
[40]李冰冰.数据库入侵检测系统设计与实现:[硕士学位论文].上海:复旦大学,2009
[41]罗敏,张焕国,王丽娜.基于数据挖掘的网络入侵检测技术研究综述.计算机科学,2003,30(2):105~107
[42]焦亚冰.数据挖掘中关联规则算法的研究.福建电脑,2008,3:77
[43]R.Agrawal,R.Srikant.Fast Algorithms for Mining Association Rules[C]. Proceedings of the 20th International Conference on Very Large Databases,Sangiago, Chile,Morgan Kaufmann Publisher,1994:487~499
[44]王媛媛,胡学钢.关联规则挖掘研究.全国第16届计算机科学与技术应用学术会议论文集,合肥工业大学,中国,2004:808~812
[45]D.Burdick,M.Calimlim and J.Gehrke.MAFIA:A Maximal Frequent Itemset Algorithm for Transactional Databases[C].In Proceedings of the 17th International Conference on Data Eginerring.Heidelberg,Germany, 2001
[45]姜平平.数据挖掘在数据库入侵检测中的应用研究:[硕士学位论文].哈尔滨:哈尔滨工程大学,2006
[45]段西强.基于数据挖掘的数据库入侵检测研究:[硕士学位论文].镇江:江苏大学,2009
[47]杨璐.数据库入侵检测系统DBIDS的设计与实现:[硕士学位论文].沈阳:东北大学,2006
[48]张超.SQL Server数据库入侵检测系统的研究: [硕士学位论文].西安: 西安电子科技大学,2004
[49]王丽娜、董晓梅、郭晓淳等.基于数据挖掘的网络数据库入侵检测系统.东北大学学报(自然科学版),2003,24(3):225~228.
[2]Symantec's Internet Security Threat Report Vol.14
[3]T.F.Lunt, A survey of intrusion detection techniques. Computers & Security, 1993,12(4):405~418
[4]蔡敏,叶震.一种数据库入侵检测模型的设计.合肥工业大学学报(自然科学版),2008,31(4):537~540
[5]McDermott J, Goldschlag D. Storage jamming. D. Spooner; S. Demurjian;J. Dobson, eds. Database Security Ⅸ:Status and Prospects. London:Chapman & Hall,1996:365~381
[6]Chung C Y. Gertz M. Levitt K, DEMIDS:A Misuse Detection System for Database System, In:The Third Annual IFIP TC-11 WG 11.5 Working Conf.On Integrity and Internal Control in Information Systems, Amsterdam. Netherlands, 1999:159~178
[7]http://www.appsecinc.com:White Paper Security Auditing about AppRadar
[8]郭晓淳.数据库入侵检测系统DBIDS的设计与实现:[硕士学位论文].沈阳:东北大学,2002
[9]钟勇,秦小麟,包磊.基于用户查询模式的挖掘算法及其在入侵检测中的应用.应用科学学报,2005,9(5):506~512
[10]http://tech.sina.com.cn/roll/2007-11-30/1102505024.shtml
[11]王杰.高安全数据库管理系统保护技术的研究和实现:[硕士学位论文].南京:南京航空航天大学,2006
[12]王静.数据库安全增强系统模型的研究:[硕士学位论文].北京:北京化工大学,2006
[13]陈国渭.数据库身份认证系统研究:[硕士学位论文].武汉:华中科技大学,2006
[14]National Computer Security Center. Trused Database Management System Interpretation of the TCSEC.NCSC-TG-021,1991
[15]国家质量监督局,1999,GB17859—1999计算机信息系统安全保护等级划分准则
[16]岳晓淑.数据库安全性研究及实现:[硕士学位论文].大连:大连海事大学,2005
[17]赵宝献,秦小麟.数据库访问控制研究综述.计算机科学,2005,32(1):88~91
[18]袁晓东,冯颖.B1级数据库管理系统强制存取控制模型研究.计算机学报,2000,23(10):1096~1101
[19]徐龙琴,刘双印,沈玉利.数据库安全控制的研究.计算机应用与软件,2009,26(5):138~140
[20]黄志国.数据库安全审计的研究:[硕士学位论文].太原:中北大学,2006
[21]萧萍.一种安全的数据库体系结构.计算机安全,2008.11:65~67
[22]王湘渝,刘豪.SQL注入攻击及其防范技术研究.网络安全技术与应用,2009,9:62~63
[23]Yi Hu, Brajendra Panda. A Data Mining Approach for Database Intrusion Detection. Proceeding of the 2004 ACM Symposium on Applied Computing. Nicosia, Cyprus:2004,11(2):711-716
[24]朱岸青,张昌城.基于数据挖掘的网络入侵检测技术研究.计算机工程与设计,2008,29(2):318~322
[25]Axelsson S, Intrusion Detection Systems:A Survey and Taxonomy, Dept of Computer Engineering. Chalmers University of Technology, Goteborg. Sweden: [Technical Report 99-15],2000
[26]W. Lee. S. J. Stolfo. Data mining approaches for intrusion detection, In Proceedings of 7" USENiX Security symposium[J]. San Antonio, TX,2004, (8)
[27]Yi Hu and Panda. B. Identification of malicious transactions in database systems. Proceedings International Database Engineering and Applications Sysposium,2003:329-335
[28]张军,杨帆.数据挖掘技术在入侵检测系统中的应用现状及展望.河南农业大学学报,2006,40(4):445~448
[29]Frans David,王建新,王斌.基于异常和特征的入侵检测系统模型.计算机技术与自动化,2004,23(3):19~22
[30]李晓蕊.数据库入侵检测技术的研究:[硕士学位论文].北京:北京理工大学,2008
[31]邝祝芳.数据库入侵检测系统GKD-DBIDS的研究与实现:[硕士学位论文].长沙:国防科技大学,2006
[32]卢云彬.基于关联规则改进算法的数据库入侵检测系统研究:[硕士学位论文].武汉:华中科技大学,2007
[33]李榕.一种应用级数据库入侵检测方法及其应用研究:[硕士学位论文].苏州:苏州大学,2009
[34]石正喜.基于入侵检测的数据挖掘应用研究.科技情报开发与经济,2005, 15(13):244~246
[35]覃丽萍.关联规则算法的改进及其应用研究:[硕士学位论文].北京:首都师范大学,2009
[36]R.Agarwal,T.Imielinski,A.Swami.Mining association rules between sets of items in large databases. In Proceedings ACM SIGMOD International Conference on Management of Data,Washington,D.C,1993:207~216
[37]Shafer JC,Agrawal R,Mehta M.SPRINT:A Scalable Parallel Classifier for Data Mining. In Proceedings of the 22th International Conference on Very Large Databases. Morgan Kaufmann. Indea,1996,544~555
[38]肖敏,韩继军,肖德宝等.基于聚类的入侵检测研究综述.计算机应用,2008,28(6):34~38
[39]Jiawei Han, Jian Pei, Xiwen Yin et al. Mining Frequent Patterns Without Candidate Eneration:A Frenquent-pattern Tree Approach, Data Mining and Knowledge Discovery,2004,8(1):53~87
[40]李冰冰.数据库入侵检测系统设计与实现:[硕士学位论文].上海:复旦大学,2009
[41]罗敏,张焕国,王丽娜.基于数据挖掘的网络入侵检测技术研究综述.计算机科学,2003,30(2):105~107
[42]焦亚冰.数据挖掘中关联规则算法的研究.福建电脑,2008,3:77
[43]R.Agrawal,R.Srikant.Fast Algorithms for Mining Association Rules[C]. Proceedings of the 20th International Conference on Very Large Databases,Sangiago, Chile,Morgan Kaufmann Publisher,1994:487~499
[44]王媛媛,胡学钢.关联规则挖掘研究.全国第16届计算机科学与技术应用学术会议论文集,合肥工业大学,中国,2004:808~812
[45]D.Burdick,M.Calimlim and J.Gehrke.MAFIA:A Maximal Frequent Itemset Algorithm for Transactional Databases[C].In Proceedings of the 17th International Conference on Data Eginerring.Heidelberg,Germany, 2001
[45]姜平平.数据挖掘在数据库入侵检测中的应用研究:[硕士学位论文].哈尔滨:哈尔滨工程大学,2006
[45]段西强.基于数据挖掘的数据库入侵检测研究:[硕士学位论文].镇江:江苏大学,2009
[47]杨璐.数据库入侵检测系统DBIDS的设计与实现:[硕士学位论文].沈阳:东北大学,2006
[48]张超.SQL Server数据库入侵检测系统的研究: [硕士学位论文].西安: 西安电子科技大学,2004
[49]王丽娜、董晓梅、郭晓淳等.基于数据挖掘的网络数据库入侵检测系统.东北大学学报(自然科学版),2003,24(3):225~228.