【作者】 任维武；

【导师】 胡亮；

【作者基本信息】 吉林大学 ， 计算机系统结构， 2013， 博士

【摘要】 随着网络应用领域的不断深入，网络攻击手段也从原有的单一、原始的攻击方式逐步发展成如今的多步、复杂的攻击方式。另外，大量异构的分布式入侵检测系统分布在异质网络中，它们的检测原理不同，部署方案不同，检测的效果也大相径庭。这些分散的入侵检测系统很难整合在一起协同工作，更难以担负起保护全球信息基础设施的重任。为了解决以上问题，本文提出了用于分布式入侵检测系统的合作式本体模型，该模型利用本体的方法，将真实环境的各类实体映射成本体中的实例，通过分析这些实例，推理发现系统所处的威胁状态，并结合所受到的实时攻击，推理攻击后的结果状态。由于本体具有可重用、可理解、可共享的优势，异质网络中的异构入侵检测系统可通过这个本体模型，轻松实现信息的理解、共享和融合，并且利用推理产生的安全状态，准确感知当前系统的微小变化，以实现不同入侵检测系统之间的协同工作，提前对可能发生的攻击作出反应。本文主要从三个方面来具体阐述用于分布式入侵检测系统的合作式本体模型，分别是：有线网络环境下本体模型的研究，无线网络环境下本体模型的研究以及统一本体模型的研究。有线网络环境下本体模型的研究主要包括两个部分：模型研究与相关算法研究。在模型研究中，本文提出了一系列构建、实例化、推理本体的方法；分析了有线网络环境下的主要安全要素及它们之间的关系，并将它们作为顶层类；提出了新的威胁状态类，分析其出现根本原因，并给出推理方法；提出了新的误配置类脆弱性的推理方法；最后还给出了具体的系统框架和工作流程。在相关算法研究中，结合系统框架中对算法的需求，本文提出了三个具体的算法：基于层次聚类的并行异常检测算法，基于层次聚类和决策树的混合式入侵检测系统和基于多种特征选择算法的入侵分类器。前两种入侵检测算法的特点可归纳为：混合、轻量、并行。第三种算法混合搭配多种特征选择算法和攻击分类算法，以实现在最精简子集下的最大分类精度。无线网络环境下本体模型的研究主要包括两个部分：模型研究与相关算法研究。在模型研究中，本文以无线自组网络为主要研究对象，通过分析其安全特点，结合有线网络环境下本体的研究经验，提出了无线网络环境下的本体模型，并依托实验室搭建的真实物联网环境，将环境中的节点、传感器、配置等实体进行实例化。在相关算法研究中，针对特有的黑洞攻击，提出了相应的异常检测算法。在统一本体模型的研究，结合多层本体结合有线网络环境的本体模型和无线网络环境的本体模型，利用多层次本体建模方法，提出了一个可用于异质环境下异构分布式入侵检测系统的统一的三层安全本体模型，并且调整了有线和无线模型中顶层本体的部分结构，对某些概念进行了融合。该模型可实现入侵检测系统对安全要素的重用，对安全状态的共享，以及对推理结果的理解，以实现它们之间的协同工作。更多还原

【Abstract】 With the rapid development of network applications, original and simple attackpatterns have become multi-step and complex attack patterns. Moreover, a largenumber of heterogeneous distributed intrusion detection systems are deployed in theheterogeneous networks. They have different detection principles, differentdeployment schemes and different detection performance. It is so hard for thesedistributed intrusion detection system to work together that they are inability toprotect comprehensively Global Information Infrastructure. How to integrateheterogeneous intrusion detection systems in heterogeneous networks and how tomake them work together have been hot issues.A cooperative ontology model for distributed intrusion detection system isproposed in this paper. In this model, entities in the real scenario are instantiated intoinstances in the ontology. Threat states of system are inferred by analyzing details ofinstances. Consequen states of system are inferred by current threat states and attacksin real time. With the advantage of ontology, heterogeneous intrusion detectionsystems can share knowledge and security state. And they can understand each other.They can work together by inferring attacks and try to prevent transregionallarge-scale security incidentsThis model is a unified three levels information security ontology model. Themodel cotains three levels: global level, domain level and local level. In the globallevel, there is single ontology, which is represented common semantic model of allinformation. Global level only offers concept interfaces of different domain ontolgiesand brief descriptions of their relationships. But it does not involve in concretedomain knowledge.This paper focuses on domain level. Domain ontologies are created by domainknowledge and inherit by global ontology structure. Ontologies in the domain levelare fused by ontology model in the wire network and ontology model in the wirelessnetwork. Ontology model in the wire network includes two parts: model research andrelated algorithm research. In the model research, a series of methods of creating,instatiating and inferring ontology model are proposed. Different entites in the realscenario are mapped into ontologies in the model. All details of real scenario aredescribed. On the basis of this, a new threat state is proposed. Some important detailsare correlated with threat states. This process is achieved by the method of inferringby rules. Consequence states are inferred by attacks in real time and current threatstate of system. Consequence state can be the next threat state. The old implicit causalrelationships between attacks transformed into the new inferred causal relationshipsbetween attacks and security states. A new mis-configuration vulnerability inferencemethod is also proposed. Configuration entites are described by ontology andconfiguration instances are correlated with other instances. Their important details arecorrelated with mis-configuration vulnerability instances. This process is achieved bythe method of inferring by rules. In addition, new concrete system framework andworkflow are also proposed. In the related algorithm research, three related algorithmsare proposed according to demand of system framework. They are respectivelyparallel anomaly detection algorithm based on hierarchical clustering, hybrid intrusiondetection system based on hierarchical clustering and decision trees and intrusionclassifier based on multiple feature selection. The first algorithm is a parallel anomalydetection algorithm running multicore system. The second algorithm is a light hybridintrusion detection system. The first two types of intrusion detection algorithms havethe following characteristics: hybrid, light and parallel. The third algorithm combinesdifferent feature selection algorithm with attack classification algorithms. Theultimate goal is to achieve the maximum classification accuracy of optimal subset.Ontology in the wireless model includes two parts: model reseach and relatedalgorithm research. In the model research, mobile Ad Hoc network, as our majorresearch object, are mapped into ontology by methods of wire network. Our platformof Internet of things, as the real scenario, is instantiated. In the related algorithmresearch, an anomaly detection algorithm against black hole is proposed.更多还原