基于关联分析的分布式入侵检测模型研究
|
摘要
随着互联网络的快速发展,网络安全问题日益突出。由于网络入侵手段的多样化,传统的防火墙技术不足以巩固整个网络安全体系,入侵检测技术由此引起了人们越来越多的重视,已经成为计算机安全的一个重要研究领域。
传统的入侵检测系统对中小型网络的安全检测发挥了重要的作用,但是随着网络带宽的增加、攻击手段的复杂化,入侵检测系统在可扩展性和检测效率上面临着新的挑战。充分利用分布式技术的特点,提出了一个新型的分布式入侵检测模型,有效地解决了传统的入侵检测模型漏包严重和单点失效问题,并且利用关联分析的方法从日志库中挖掘出新的规则,实现了规则库的自动更新。
通过对入侵检测和数据挖掘中的重要技术分析,阐述了入侵检测系统的分类方式及各种检测模型的特点,指出分布式检测模型的优越性;阐述了数据挖掘几种方法,指出了这些方法在入侵检测系统的应用。
将数据挖掘中的关联分析技术引入到入侵检测中,提出了一种基于关联分析的分布式入侵检测模型,并采用模块化和层次化的方法对系统进行了设计实现。本模型共分为两大层,分布在不同的主机上,一层为前端的移动检测结点,负责独立入侵检测,另一层为后台集中控制,负责数据关联分析。前端的检测结点既有基于主机的异常检测模型,又有基于网络的误用检测模型,根据网络的规模部署响应的结点数量,有很强的灵活性,这些结点之间又相互协作以发现分布式入侵行为;后台集中控制主机通过对日志库的关联分析发现新的入侵行为和规则。
通过实验分析证明,提出的模型具有可扩展能力强的特点,降低了误警率和漏警率,具有较实用的价值。
Along with the rapid development of Internet, Network security has become more and more important. As the diversification of network intrusion means, traditional firewall technology is not enough to protect the entire network security system, intrusion detection technology comes forth at the appropriate time and it has become a very important research area in the computer security.
Although traditional intrusion detection system plays an important role in the middle and small scale network system, it faces new challenges in the scalability and detection efficiency with the expansion in network bandwidth and the complex means of attack. Using the advantage of distributed technology, a new model of distributed intrusion detection is proposed which can effectively solve the problems of lose packages and single-point failure in traditional model, using association analysis to mining new rules from log database, realize that automatically update the rule database.
Along with the key technology in intrusion detection and data mining is analyzed, how to classify intrusion detection system and each model’s characteristics is expounded behind, and the advantage of distributed detection model is pointed out; some methods of data mining are expounded and the application of these methods in intrusion detection systems are pointed out.
Through introducing association analysis technology in the data mining into intrusion detection, a model of distributed intrusion detection based on association analysis is pointed out; the model is designed with hierarchical and modular. Two layers have been divided in the model: one layer is front-end node for independent detection, another level of background centralized control for data association analysis. Front-end node not only has host-based anomaly detection model, but also network-based misuse detection model. These nodes are flexible; they cooperate mutually to discover distributed intrusion, back-end is used to find new rules and intrusions from log database.
The experiment result shows that, proposed model has a good scalability and effectually decrease false alarms rate and missed alarms rate.
传统的入侵检测系统对中小型网络的安全检测发挥了重要的作用,但是随着网络带宽的增加、攻击手段的复杂化,入侵检测系统在可扩展性和检测效率上面临着新的挑战。充分利用分布式技术的特点,提出了一个新型的分布式入侵检测模型,有效地解决了传统的入侵检测模型漏包严重和单点失效问题,并且利用关联分析的方法从日志库中挖掘出新的规则,实现了规则库的自动更新。
通过对入侵检测和数据挖掘中的重要技术分析,阐述了入侵检测系统的分类方式及各种检测模型的特点,指出分布式检测模型的优越性;阐述了数据挖掘几种方法,指出了这些方法在入侵检测系统的应用。
将数据挖掘中的关联分析技术引入到入侵检测中,提出了一种基于关联分析的分布式入侵检测模型,并采用模块化和层次化的方法对系统进行了设计实现。本模型共分为两大层,分布在不同的主机上,一层为前端的移动检测结点,负责独立入侵检测,另一层为后台集中控制,负责数据关联分析。前端的检测结点既有基于主机的异常检测模型,又有基于网络的误用检测模型,根据网络的规模部署响应的结点数量,有很强的灵活性,这些结点之间又相互协作以发现分布式入侵行为;后台集中控制主机通过对日志库的关联分析发现新的入侵行为和规则。
通过实验分析证明,提出的模型具有可扩展能力强的特点,降低了误警率和漏警率,具有较实用的价值。
Along with the rapid development of Internet, Network security has become more and more important. As the diversification of network intrusion means, traditional firewall technology is not enough to protect the entire network security system, intrusion detection technology comes forth at the appropriate time and it has become a very important research area in the computer security.
Although traditional intrusion detection system plays an important role in the middle and small scale network system, it faces new challenges in the scalability and detection efficiency with the expansion in network bandwidth and the complex means of attack. Using the advantage of distributed technology, a new model of distributed intrusion detection is proposed which can effectively solve the problems of lose packages and single-point failure in traditional model, using association analysis to mining new rules from log database, realize that automatically update the rule database.
Along with the key technology in intrusion detection and data mining is analyzed, how to classify intrusion detection system and each model’s characteristics is expounded behind, and the advantage of distributed detection model is pointed out; some methods of data mining are expounded and the application of these methods in intrusion detection systems are pointed out.
Through introducing association analysis technology in the data mining into intrusion detection, a model of distributed intrusion detection based on association analysis is pointed out; the model is designed with hierarchical and modular. Two layers have been divided in the model: one layer is front-end node for independent detection, another level of background centralized control for data association analysis. Front-end node not only has host-based anomaly detection model, but also network-based misuse detection model. These nodes are flexible; they cooperate mutually to discover distributed intrusion, back-end is used to find new rules and intrusions from log database.
The experiment result shows that, proposed model has a good scalability and effectually decrease false alarms rate and missed alarms rate.
引文
[1] Anderson J. P. Computer security threat monitoring and surveillance. In: James Anderson Co ed. Technical Report. Fort Washington. Pennsylvania. 1980. 11~17
[2] Mayer A, Wool A, Ziskind E. Fang: a firewall analysis engine. Security and Privacy, 2000,13(2): 177~187
[3] Uribe Tomas E, Cheung Steven. Automatic analysis of firewall and network intrusion detection system configurations. In: ACM SIGSAC eds. Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. Washington, DC. 2004. Association for Computing Machinery, 2004. 66~74
[4] Dudykevych V, Piskozub A, Lomnytskyi I. Modern approach to protection of computer systems and networks. In: Lviv eds. Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications. Ukraine. 2003. 490~493
[5] Puketza N J, Zhang K, Chung M et al. A methodology for Testing Intrusion Detection Systems. Software Engineering, 1996, 22(10): 719~729
[6] Rebecca Bace, Peter Mell. Intrusion Detection System. NIST Special Publication on Intrusion Detection System, 1999,12(3): 121~140
[7]欧阳凯,周敬利,夏涛等.基于虚拟服务的SSL VPN研究.小型微型计算机系统, 2006, 27(2): 228~232
[8] Ravi S, Sandhu Edward J, Coyne Hall. Role-based access control models. IEEE Computer, 1999, 29(2): 38~47
[9] Denning Dorothy E. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987, 13(2):222~232
[10] Lunt T F, Jagannathan R, Lee R et al. IDES: The enhanced prototype, a real-time intrusion detection system. In: Technical Report SRI Project. CSL SRI International. Computer Science Laboratory. 1988, 143~149
[11] Snapp, S.R, Brentano, J, Dias, G.V et al. A system for distributed intrusion detection. In: Smaha, S.E eds. Compton Spring '91 Digest of Papers. San Francisco, CA. 1991.IEEE Computer Society International Conference. 1991. 170~176
[12] Wang Y, Behera S R, Wong J et al. Towards the Automatic Generation of Mobile Agents for Distributed Intrusion Detection System. Journal of Systems and Software, 2006, 79 (1) :12~14
[13]邓一贵,王康,涂光友等.基于移动代理和动态拓扑结构的入侵检测系统模型.计算机科学, 2006, 33(9): 74~75
[14] Balasubramaniyan J.S, Garcia-Fernandez J.O, Isacoff D et al. An architecture for intrusion detection using autonomous agents. In: Computer Security Applications Conference. Proceedings. Phoenix, AZ. 14th Annual. 1998. 13~24
[15] llgun K, Kemmerer R.A, Porras P.A. State transition analysis: a rule-based intrusion detection approach. Software Engineering, 1995, 21(3): 181~199
[16] Lee Wenke, Stolfo S.J, Mok K.W. A data mining framework for building intrusion detection models. Security and Privacy, 1999, 24(3): 120~132
[17] Luo J, Bridges S. Mining fuzzy association rule and fuzzy frequency episodes for intrusion detection. International Journal of Intelligent System, 2000, 15(8): 678~703
[18] Shah H, Undercoffer J, Joshi A. Fuzzy clustering for intrusion detection. Fuzzy Systems, 2003, 12(2): 1274~1278
[19] Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 2000, 3(3): 186~205
[20]徐明,陈纯,应晶.基于系统调用分类的异常检测.软件学报,2004,15(3): 391~403
[21] Herve Debar et al. Towards taxonomy of intrusion detection systems. Computer Networks, 1999, 31(8): 805~822
[22] Sundaram A. An introduction to intrusion detection. ACM Cross-roads Student Magazine, 1996, 2(4): 675~682
[23] Jack Koziol. Intrusion Detection with Snort. First edition. Published by Pearson Education, Inc, publishing as New Riders. 2003, 5~10
[24] Liepens G, Vaccaro H. Intrusion detection: its role and validation. Computers and Security, 1992, 11(4): 47~55
[25]蔡龙征,余胜生,周敬利.一种非纯净训练数据异常入侵检测方法.小型微型计算机系统, 2006, 27(3): 437~441
[26] Kumar S, Spafford E H. A pattern matching model for misuse intrusion detection. In: Proceedings of the 17th National Computer Security Conference. Baltimore MD USA: NIST National Institute of Standards and Technology. 1994. 11~21
[27] Pan ZhiSong, Lian Hong, Hu GuYu et al. An integrated model of intrusion detection based on neural network and expert system. In: Tools with Artificial Intelligence. 17th IEEE International Conference. 2005. 1082~1084
[28] Zhang Yu-Fang, Xiong Zhong-Yang, Xiu-Qiong Wang. Distributed intrusion detection based on clustering. Machine Learning and Cybernetics, 2005, 4(4): 2379~2383
[29] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS a Graph Based Intrusion Detection System for Large Networks. In: Proceedings of the 19th National Information Systems Security Conference. 1996. 253~258
[30]马恒太,任党恩,卿斯汉.网络安全入侵检测.软件学报, 2000, 11(11): 460~466
[31] Jiawei Han, Micheline Kamber.数据挖掘:概念与技术.第一版.范明,孟小峰.机械工业出版社. 2000. 10~15
[32] Agrawal R, Imielinaki T, Swami A. Mining association rules between sets of items in large database. In: the ACM SIGMOD Conference on Management of Data. 1993. 207~216
[33] Agrawal R, Mannila H, Srikant R et al. Fast discovery of association rules. In: Fayyad M, Piatetsky-Shapiro G, Smyth P eds. Advances in Knowledge Discovery and Data Mining. Menlo Park, CA: AAAI/MIT. 1996. 307~328
[34] J.S. Park, M.S. Chen, P.S. Yu, "An Effective Hash-Based Algorithm for Mining Association Rules". In: Proceedings of the 1995 ACM SIGMOD International Conference on Management of Data. San Jose. CA, USA. 1995. 175~186
[35]连一峰,戴英侠,卢震宇.基于自适应Agent的入侵检测系统研究.计算机工程, 2002, 28(7): 44~47
[36]朱秋萍,毛平平,罗俊.基于关联规则入侵检测系统.计算机工程与应用, 2004, 26(3): 160~162
[37]韩宗芬,刘科,金海.基于数据挖掘的分布式协同入侵检测.华中科技大学学报(自然科学版), 2002, 30(7): 33~35
[38] El-Semary A, Edmonds J, Gonzalez-Pino J et al. Applying Data Mining of Fuzzy Association Rules to Network Intrusion Detection. In: IEEE Information Assurance Workshop. 2006. 100~107
[39] Liu Qing-Hua, Zhao Feng, Zhao Yan-Bin. A real-time architecture for NIDS based on sequence analysis. In: Machine Learning and Cybernetics. Proceedings of 2005 International Conference. 2005. 1893~1896
[40]阎慧,曹元大.一种基于入侵统计的异常检测方法.计算机工程与应用, 2002, 28(2): 48~51
[41] Wang Ke, He Yu, Han Jiawei. Pushing support constraints into association rules mining. IEEE Transaction on Knowledge and Data Engineering, 2003, 15(3): 642~658
[42] Yoshida, K. Entropy based intrusion detection. In: IEEE on Communications. Computers and signal Processing. 2003. 840~843
[43] Su Ja-Hwung, Lin Wen-Yang. CBW: An Efficient Algorithm for Frequent Itemset Mining. In: System Sciences. Proceedings of the 37th Annual Hawaii International Conference. 2004. 9~18
[2] Mayer A, Wool A, Ziskind E. Fang: a firewall analysis engine. Security and Privacy, 2000,13(2): 177~187
[3] Uribe Tomas E, Cheung Steven. Automatic analysis of firewall and network intrusion detection system configurations. In: ACM SIGSAC eds. Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. Washington, DC. 2004. Association for Computing Machinery, 2004. 66~74
[4] Dudykevych V, Piskozub A, Lomnytskyi I. Modern approach to protection of computer systems and networks. In: Lviv eds. Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications. Ukraine. 2003. 490~493
[5] Puketza N J, Zhang K, Chung M et al. A methodology for Testing Intrusion Detection Systems. Software Engineering, 1996, 22(10): 719~729
[6] Rebecca Bace, Peter Mell. Intrusion Detection System. NIST Special Publication on Intrusion Detection System, 1999,12(3): 121~140
[7]欧阳凯,周敬利,夏涛等.基于虚拟服务的SSL VPN研究.小型微型计算机系统, 2006, 27(2): 228~232
[8] Ravi S, Sandhu Edward J, Coyne Hall. Role-based access control models. IEEE Computer, 1999, 29(2): 38~47
[9] Denning Dorothy E. An Intrusion Detection Model. IEEE Transactions on Software Engineering, 1987, 13(2):222~232
[10] Lunt T F, Jagannathan R, Lee R et al. IDES: The enhanced prototype, a real-time intrusion detection system. In: Technical Report SRI Project. CSL SRI International. Computer Science Laboratory. 1988, 143~149
[11] Snapp, S.R, Brentano, J, Dias, G.V et al. A system for distributed intrusion detection. In: Smaha, S.E eds. Compton Spring '91 Digest of Papers. San Francisco, CA. 1991.IEEE Computer Society International Conference. 1991. 170~176
[12] Wang Y, Behera S R, Wong J et al. Towards the Automatic Generation of Mobile Agents for Distributed Intrusion Detection System. Journal of Systems and Software, 2006, 79 (1) :12~14
[13]邓一贵,王康,涂光友等.基于移动代理和动态拓扑结构的入侵检测系统模型.计算机科学, 2006, 33(9): 74~75
[14] Balasubramaniyan J.S, Garcia-Fernandez J.O, Isacoff D et al. An architecture for intrusion detection using autonomous agents. In: Computer Security Applications Conference. Proceedings. Phoenix, AZ. 14th Annual. 1998. 13~24
[15] llgun K, Kemmerer R.A, Porras P.A. State transition analysis: a rule-based intrusion detection approach. Software Engineering, 1995, 21(3): 181~199
[16] Lee Wenke, Stolfo S.J, Mok K.W. A data mining framework for building intrusion detection models. Security and Privacy, 1999, 24(3): 120~132
[17] Luo J, Bridges S. Mining fuzzy association rule and fuzzy frequency episodes for intrusion detection. International Journal of Intelligent System, 2000, 15(8): 678~703
[18] Shah H, Undercoffer J, Joshi A. Fuzzy clustering for intrusion detection. Fuzzy Systems, 2003, 12(2): 1274~1278
[19] Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 2000, 3(3): 186~205
[20]徐明,陈纯,应晶.基于系统调用分类的异常检测.软件学报,2004,15(3): 391~403
[21] Herve Debar et al. Towards taxonomy of intrusion detection systems. Computer Networks, 1999, 31(8): 805~822
[22] Sundaram A. An introduction to intrusion detection. ACM Cross-roads Student Magazine, 1996, 2(4): 675~682
[23] Jack Koziol. Intrusion Detection with Snort. First edition. Published by Pearson Education, Inc, publishing as New Riders. 2003, 5~10
[24] Liepens G, Vaccaro H. Intrusion detection: its role and validation. Computers and Security, 1992, 11(4): 47~55
[25]蔡龙征,余胜生,周敬利.一种非纯净训练数据异常入侵检测方法.小型微型计算机系统, 2006, 27(3): 437~441
[26] Kumar S, Spafford E H. A pattern matching model for misuse intrusion detection. In: Proceedings of the 17th National Computer Security Conference. Baltimore MD USA: NIST National Institute of Standards and Technology. 1994. 11~21
[27] Pan ZhiSong, Lian Hong, Hu GuYu et al. An integrated model of intrusion detection based on neural network and expert system. In: Tools with Artificial Intelligence. 17th IEEE International Conference. 2005. 1082~1084
[28] Zhang Yu-Fang, Xiong Zhong-Yang, Xiu-Qiong Wang. Distributed intrusion detection based on clustering. Machine Learning and Cybernetics, 2005, 4(4): 2379~2383
[29] S. Staniford-Chen, S. Cheung, R. Crawford et al. GrIDS a Graph Based Intrusion Detection System for Large Networks. In: Proceedings of the 19th National Information Systems Security Conference. 1996. 253~258
[30]马恒太,任党恩,卿斯汉.网络安全入侵检测.软件学报, 2000, 11(11): 460~466
[31] Jiawei Han, Micheline Kamber.数据挖掘:概念与技术.第一版.范明,孟小峰.机械工业出版社. 2000. 10~15
[32] Agrawal R, Imielinaki T, Swami A. Mining association rules between sets of items in large database. In: the ACM SIGMOD Conference on Management of Data. 1993. 207~216
[33] Agrawal R, Mannila H, Srikant R et al. Fast discovery of association rules. In: Fayyad M, Piatetsky-Shapiro G, Smyth P eds. Advances in Knowledge Discovery and Data Mining. Menlo Park, CA: AAAI/MIT. 1996. 307~328
[34] J.S. Park, M.S. Chen, P.S. Yu, "An Effective Hash-Based Algorithm for Mining Association Rules". In: Proceedings of the 1995 ACM SIGMOD International Conference on Management of Data. San Jose. CA, USA. 1995. 175~186
[35]连一峰,戴英侠,卢震宇.基于自适应Agent的入侵检测系统研究.计算机工程, 2002, 28(7): 44~47
[36]朱秋萍,毛平平,罗俊.基于关联规则入侵检测系统.计算机工程与应用, 2004, 26(3): 160~162
[37]韩宗芬,刘科,金海.基于数据挖掘的分布式协同入侵检测.华中科技大学学报(自然科学版), 2002, 30(7): 33~35
[38] El-Semary A, Edmonds J, Gonzalez-Pino J et al. Applying Data Mining of Fuzzy Association Rules to Network Intrusion Detection. In: IEEE Information Assurance Workshop. 2006. 100~107
[39] Liu Qing-Hua, Zhao Feng, Zhao Yan-Bin. A real-time architecture for NIDS based on sequence analysis. In: Machine Learning and Cybernetics. Proceedings of 2005 International Conference. 2005. 1893~1896
[40]阎慧,曹元大.一种基于入侵统计的异常检测方法.计算机工程与应用, 2002, 28(2): 48~51
[41] Wang Ke, He Yu, Han Jiawei. Pushing support constraints into association rules mining. IEEE Transaction on Knowledge and Data Engineering, 2003, 15(3): 642~658
[42] Yoshida, K. Entropy based intrusion detection. In: IEEE on Communications. Computers and signal Processing. 2003. 840~843
[43] Su Ja-Hwung, Lin Wen-Yang. CBW: An Efficient Algorithm for Frequent Itemset Mining. In: System Sciences. Proceedings of the 37th Annual Hawaii International Conference. 2004. 9~18