摘要
在网络安全问题日益突出的今天,如何迅速而有效地利用入侵检测系统发现并正确响应各种入侵行为,对于保证系统和网络资源的安全十分重要。传统的入侵检测系统及模型尚存在各种各样的问题,尤其是在检测算法和决策机制上的研究还有待深入。因此,如何建立起有效的入侵检测系统,使它在网络空间与网络攻击(入侵)进行的体系对体系的对抗中获胜,具有十分紧迫的意义。
鉴于传统的入侵检测系统在检测和控制机制上均需人工干预所呈现出的低效性,提出了一种基于博弈论的入侵检测系统,在应用异常数据挖掘算法自动标记过滤数据的基础上,针对网络攻防双方所固有的博弈本质,对入侵检测器的分类结果做出权衡和评估,得出精确的决策以响应入侵。
在检测算法上,克服了传统的异常数据挖掘算法存在的时间复杂度较大的缺陷,设计了一种基于距离的异常数据挖掘算法,DBOM算法。通过筛选权值高的活性数据的方法和分块读取数据的技术,降低了传统算法运行时间,并提高了入侵检测系统的检测效率。
在决策控制机制上,引用博弈论的思想,建立了量化的决策控制过程的数学模型。该模型模拟了网络攻击过程,评估了入侵给系统带来的损失,并权衡两类错误(虚警和漏警)的开销和有限的网络系统资源,对入侵做出了更精确的响应决策,从而整体提高入侵检测系统的效率。
对异常数据挖掘算法和基于博弈论的入侵检测模型的实验结果表明,基于博弈论的入侵检测系统的检测和决策控制效率都较传统的入侵检测系统有一定的提高。
Since the problem of network security is more and more severe today, how to detect and act the intrusion quickly and precisely through the intrusion detection system is very important to the network security. However, most existing intrusion detection systems and intrusion detection models all have their deficiencies, especially have deficiencies in detection algorithm and decision mechanism. Thus how to establish an efficient intrusion detection system to win the counterwork between the network attacker and defender is put in an urgent need.
Due to the existing intrusion detection systems most need human intervention both in detection and decision making, an intrusion detection system is put forward in this paper. This system assesses and weighs with the results from the detector and make the precise decision to act the intrusion based on the game between the network attacker and defender after automatically label the data sets using the outlier detection algorithm.
In the part of detection algorithm, an outlier detection algorithm based on distance (DBOM algorithm) is designed in this paper and the algorithm overcomes the deficiency of the traditional algorithm in time complexity. This algorithm reduces the executing time greatly and thus improves the intrusion detection efficiency by using the selection of active data with high weights and reading in block technologies.
In the part of decision and control mechanism, a quantitative decision and control framework is established based on game theory in this paper. The framework simulates the process of the network attacking, assesses the cost caused by the intrusion, weighs with the two kinds of the false alarms and the limited network resources and acts the intrusion more precisely. Thus it improves the efficiency of the intrusion detection system.
In all, the emulation and experiment results shows that the intrusion detection system based on game theory improves the efficiency of the intrusion detection system both in detection and decision making mechanism.
引文
[1] Anderson J P. Computer security threat monitoring and surveillance[R]. Technical report. Fort Washington, Pennsylvania: James P Anderson Company, 1980.4
[2] Denning Dorothy E. An Intrusion Detection Model. IEEE Transactions on Software Engineering,13 (2) , 1987:222~232
[3] Lun Teresa F, Jagannathan R, Lee Rosanna et al. IDES: The enhanced prototype, A real-time intrusion detection system[R]. Technical Report SRI Project 4185-010,SRI-CSL-88-12,CSL SRI International, Computer Science Laboratory, SRI 1nt1.333 Ravenswood Ave., Menlo Park, CA 94925-3493,UJSA, 1988.10
[4] Heberlein Todd, Dias Gihan, Levitt Karl et al. A Network security monitor. In: Proceedings of the 1990 IEEE Symposium on Research in Security and Privacy, IEEE, Los Alamitos, CA, USA: IEEE Computer Soo. Press, 1990: 296~304
[5] 盛思源,战守义,石耀斌.自适应入侵检测系统.北京理工大学学报2002,1(22):72~75
[6] Debar H, Becker M. A neural network component for an intrusion detection system. In: Research in Security and Privacy, 1992. Proceedings., 1992 IEEE Computer Society Symposium , Oakland, CA, IEEE Computer Society, 1992:240~250
[7] Hofmeyr SA, Forrest S. Architecture for an artificial immune system. Evolutionary Computation. 1999. 7(1): 45~68
[8] Lee W. A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems. Columbia University. USA.1999,31(8):25~78
[9] Debar Herve, Dacier Marc, Wespi Andreas. Towards a taxonomy of intrusion-detection systems. Computer Networks, 1999; 31 (8): 805-822
[10] 李庆华,童建华,孟中楼.基于数据挖掘的入侵检测建模.计算机上程,2004,30(8):51-53
[11] Agrwal R.,Srikant R. Fast algorithms for mining association rules. In Proceedings of the 20th VLDB Conference, 1994. Touch,S. Hotz. The X-Bone. In:Proc. 3rd Global Internet Mini- Conference.Australia:Proc.3rd Global Internet Mini-Conference Press,1998:75~83
[12] Lee Wenke. A Data Mining Framework for Building Intrusion Detection Models. In IEEE Symposium on Security and Privacy, 1999
[13] Lee W, Stolfo S J, and Mok K W. Mining in a data-flow environment: experience in intrusion detection. Submitted for publication, Oakland, CA March 1999: 120~132
[14] 张洪云, 石阳. 数据挖掘中聚类算法的比较研究. Journal of Anshan Institute of I.&S. Technology, 2001(5):364~368
[15] Anderberg M R. Cluster Analysis for Applications. Number 19 in Probability and Mathematical Statistics. New York, USA: Academic Press, 1973:230~245
[16] SANDER F, ESTER M, KRIEGEL.HP.XUX. The Algorithm DBSCAN and its Applications. Data Mining and Knowledge Discovery. KLUWER Academic Publishers, 1998, 2: 178~192
[17] Ankerst M, Breuing M, Kriegel HP, et al. OPTICS: Ordering points to identify the clustering structure. In: Proceedings of the 1999 ACM-SIGMOD International Conference on Management of Data. Philadelphia. 1999: 49~60
[18] Guha Sudipto, Rastogi, Shim Kyuseok, ROCK: A Robust Clustering Algorithm for Categorical Attributes. Information System 2000( 25): 345~366
[19] Fisher D. Improving Inference Through Conceptual Clustering. In Proc. 1987 AAAI Conf, Seattle, WA, July 1987: 461~465
[20] Angiulli F, Pizzuti C. Fast outlier detection in high dimensional spaces. In Proc. Int. Conf. on Principles of Data Mining and Knowledge Discovery (PKDD’02),2002:15~26
[21] Bay S D, Schwabacher M. Mining distance-based outliers in near linear time with randomization and a simple pruning rule. In Proc. Int. Conf. on Knowledge Discovery and Data Mining (KDD’03), 2003:245~250
[22] Eskin E, Arnold A, Prerau M, Portnoy L, et al. A geometric framework for unsupervised anomaly detection. In Applications of Data Mining in Computer Security, Kluwer, 2002:135~140
[23] Knorr E, Ng R. Algorithms for mining distance-based outliers in large datasets. In Proc. Int. Conf. on Very Large Databases, 1998: 392~403
[24] Knorr E, Ng R, Tucakov V. Distance-based outlier: algorithms and applications. VLDB ,2000, 8(3-4):237~253
[25] Ramaswamy S, Rastogi R, Shim K. Efficient algorithms for mining outliers from large data sets. In Proc. Int. Conf. on Managment of Data, 2000: 427~438
[26] Arning C, Aggarwal P, Raghavan. A linear method for deviation detection in large databases. In Proc. Int. Conf. on Knowledge Discovery and Data Mining (KDD’96), 1996. 164~169
[27] M. M, Kriegel H, R T Ng, et al.. Identifying density-based local outliers. In Proc.Int. Conf. on Managment of Data, 2000:233~236
[28] Jin W, Tung A K H, Han J. Mining top-n local outliers in large databases. In Proc. Int. Conf. on Knowledge Discovery and Data Mining, 2001:125~128
[29] Knorr E M, Ng R T. Finding Intentional Knowledge of Distance-based Outliers. VLDB Journal: Very Large Databases, 1999, 7(1): 211-222
[30] Han Jiawei, Kamber Micheline. 数据挖掘:概念与技术.第一版.范明,孟小峰等译. 北京:机械工业出版社,2001.225~230
[31] 张维迎. 博弈论与信息经济学. 第一版. 上海:上海人民出版社,2000. 35~98
[32] 胡光俊,闫怀志. 基于动态博弈的网络诱骗信息获取策略研究. 科技导报. 2005,23(1):32~34
[33] Burke D. Towards a game theory model of information warfare. Master’s thesis, Graduate School of Engineering and Management in Airforce Institute of Technology. 1999
[34] Lye K W, Wing J. Game strategies in network security. In Foundations of Computer Security Workshop in FLoC'02, Copenhagen, Denmark, July 2002:158~162
[35] Liu P, Zang W. Incentive-based modeling and inference of attacker intent, objectives, and strategies. In Proc. of the 10th ACM Computer and Communications Security Conference (CCS'03), Washington, DC, October 2003:179~189
[36] Zamboni D. Using internal sensors for computer intrusion detection. Ph.D. dissertation, Purdue University, August 2001
[37] Basar T, Olsder G. J. Dynamic Noncooperative Game Theory, 2nd ed. Philadelphia, PA: SIAM, 1999
[38] Tan K M., Killourhy K S, Maxion R A. Undermining an anomaly-based intrusion detection system using common exploits. in Recent Advances in Intrusion Detection : 5th International Symposium, RAID 2002, Zurich, Switzerland, October 16-18, 2002. Proceedings, ser. Lecture Notes in Computer Science. Springer-Verlag Heidelberg, January 2002, vol. 2516 / 2003. 54~73
[39] Rosen J B. Existence and uniqueness of equilibrium points for concave n-person games. Econometrica, 1965(33):520~534
[40] Elkan Charles. Results of the KDD'99 Classifier Learning Contest .http://www-cse.ucsd.edu/users/elkan/clresults.html
[41] Gambit. Gambit game theory analysis software and tools. http://www.hss.caltech.edu/gambit, 2002