基于先进计算的智能入侵检测系统研究

【作者】 李玉萍；

【导师】 尹京苑； 单新建；

【作者基本信息】 中国地震局地球物理研究所 ， 固体地球物理， 2012， 博士

【摘要】 计算机技术的发展改变了人类的生活,但是病毒入侵的风险性和机会也相应急剧增加。设计安全措施来防范未经授权访问地震信息系统的资源和数据,是当前地震系统主机或者地震信息网络安全领域的一个十分重要而迫切的问题。网络安全问题也是开展地震研究必须解决好的重要课题。入侵检测技术是近20年出现的一种主动保护自己免受攻击的网络安全技术,它在不影响网络性能的情况下对网络进行检测,从而提供对内部攻击、外部攻击和误用操作的实时保护。在分析了入侵检测系统的一些基础理论之后,作者指出了引入先进机器学习与进化计算方法实现入侵检测系统的必要性。提出了基于非平衡数据支撑向量机的入侵检测方法、基于人工免疫危险理论的入侵检测方法以及基于免疫危险克隆规划入侵检测方法,所做具体创新内容如下：(1)提出基于支撑向量机的和非平衡数据的入侵检测方法。首先介绍了入侵检测中的非平衡资料问题,针对该问题,建立了非平衡数据快速支撑向量机分类器,并利用它实现了一种新型的入侵检测系统。该算法具有如下优点：(a)考虑了非平衡数据对于学习机性能的影响,通过非平衡LSSVM实现了具有较强推广能力的入侵检测系统；(b)由于采用LSSVM将学习过程中的不等式约束变为等式约束,大大降低了训练过程的复杂度。最后采用该方法对KDDCup1999数据集中的连线特征字段进行分类,分析并对比了检测结果的正确率并评估检测效率。结果说明了其有效性。(2)提出基于聚类算法和危险理论的入侵检测方法。针对传统人工免疫机制的入侵检测系统自体与非自体难以精确区分的问题,引入危险理论来实现更加高效的入侵检测。该算法具有如下优点：(a)利用模糊C均值聚类算法预处理找到数据中心的近似位置,再利用危险理论寻找出最适当的聚类数目与较好的聚类中心,大大节约入侵检测系统的处理时间。(b)避免了传统免疫IDS系统自我／非我集过大问题,将免疫响应与危险信号相关联。根据危险信号浓度的大小判断是否是入侵行为。在KDDCup1999数据集上验证了其性能。结果说明了其有效性。(3)提出基于免疫危险克隆规划的入侵检测方法。随着时间的增长,免疫危险入侵检测算法中自体库会变得十分庞大,自体耐受时间将呈指数增长。为了进一步降低免疫危险入侵检测方法的时间复杂度,提出一种免疫危险克隆规划入侵检测算法,来加快免疫算法的收敛速度。该算法具有如下优点：(a)利用克隆操作代替传统的进化操作中的交叉、变异和选择操作,在大规模优化问题求解时具有更快的求解速度。(b)能够克服免疫算法容易收敛到局部极小值的缺陷。在KDDCup1999数据集上验证了其性能。结果说明了其有效性。更多还原

【Abstract】 The development of computer technology has changed human life, but the risk of viruses and the chance of a sharp increase. Design of security measures to guard against unauthorized access to earthquake information system resources and data, is the current host or seismic information network security field seismic system is a very important and urgent issue. The issue of network security is to carry out seismic studies to be solved an important issue. Intrusion detection technology is nearly20years, a pro-active network security technology to protect themselves from attack, it does not affect network performance, network detection, thus providing the attacks on the internal and external attacks and misuse of the operation of real-time protection.Some of the basic theory of intrusion detection system, the authors noted that the introduction of advanced machine learning and evolutionary computation method to realize the need for intrusion detection systems. Proposed intrusion detection method based on support vector machines non-equilibrium data, the intrusion detection method based on artificial immune danger theory as well as intrusion detection method based on immune dangerous cloning planning, done by a specific innovation as follows:(1) The proposed intrusion detection method based on support vector machines and unbalanced data. First introduced the problem of intrusion detection in non-equilibrium data, the non-equilibrium data for fast support vector machine classifier, and use it to achieve a new type of intrusion detection systems. The algorithm has the following advantages:(a) consider the impact of non-equilibrium data for the performance of the learning machine, non-equilibrium LSSVM with strong generalization ability of intrusion detection systems;(b) due LSSVM will learn in the process of inequality constraints into equality constraints and greatly reduces the complexity of the training process. Finally, the connection on the KDD Cup1999data set characteristics field classification, analysis and compare the rate of correct test results and to assess the detection efficiency. Results demonstrate its effectiveness.(2) The proposed intrusion detection method based on clustering algorithms and dangerous theory. Difficult to accurately distinguish between the problem of intrusion detection system of the traditional artificial immune mechanisms and non-self, the introduction of dangerous theory to achieve a more efficient intrusion detection. The algorithm has the following advantages:(a) the use of fuzzy C-means clustering algorithm for preprocessing to find the approximation of the data center location, the use of dangerous theory to find out the most appropriate number of clusters and good cluster centers, and significant savings in the intrusion detection system processing time,(b) avoid the traditional immune IDS system of self/not my set too large, the immune response to danger signals. According to the size of the judgment of the danger signal concentration is a intrusion. KDDCup1999data sets to verify its performance. Results demonstrate its effectiveness.(3) The proposed intrusion detection method based on immune dangerous cloning planning. With the growth of time, the immune dangerous intrusion detection algorithm autologous library will become very large, autologous tolerance time will increase exponentially. To further reduce the time complexity of immune danger of intrusion detection methods, raised the risk of an immune clone planning intrusion detection algorithm to speed up the convergence rate of Immune Algorithm. The algorithm has the following advantages:(a) the use of cloning operation instead of the traditional evolutionary operations of crossover, mutation and selection operations, the faster the speed of solving large-scale optimization problem solving,(b) be able to overcome the immune algorithm is easy to converge to a local minimum of defects. KDDCup1999data sets to verify its performance. Results demonstrate its effectiveness.更多还原