【作者】 王晋；

【导师】 冯登国；

【作者基本信息】 中国科学院研究生院（软件研究所） ， 计算机应用技术， 2005， 博士

【摘要】 随着网络技术的飞速发展,网络安全问题日益突出。网络入侵检测系统处理能力的缺乏引发了入侵事件的漏报或误报,提高入侵检测系统的检测速度和检测准确率是目前急需解决的关键问题。 本文针对提高入侵检测系统处理能力的提高进行了研究,尤其是入侵检测系统性能的优化方面取得了一定的成果 检测速度和检测的准确率是入侵检测两个重要的指标,单纯依靠分析算法的改进来提高二者并不完全奏效。针对这种情况,我们提出了基于移动代理的自适应的分布式入侵检测系统MAAIDS。MAAIDS是一个由移动代理作为优化组件、多个分析结点及探测结点组成的可自动进行优化的分布式网络入侵检测系统。MAAIDS的优化组件执行系统的性能评估,制定相应的优化策略,将分析组件的检测速度和检测准确率稳定在一个可接受的范围之内,尽可能地发挥整个系统的处理能力。 本文提出了MAAIDS的优化机制,整个优化机制包含优化决策判断机制、优化方案生成机制和优化方案评估机制三部分。优化决策判断机制负责对待优化对象性能进行分析以判断是否需要优化;优化方案生成机制涵盖了优化方案的设计中的所有环节;优化方案评估机制则对优化方案的优化效果做出评价,对已生成的优化方案进行可行性分析,确认其优化效果是否达到了执行的标准。 优化方案包含数据包分发方案和检测算法转换方案两部分,本文根据入侵检测的特点提出了MAAIDS的数据包分发机制和检测算法转化机制。数据包分发机制负责将数据包分发至合理的数据分析组件,通过本文所提出的数据包分发规则得以执行。同时,数据分类机制将数据包按照特点进行分类并结合数据包分发规则推理出新的规则,使得数据包分发适应数据包的变化。检测算法转换机制则根据本文所设计的转换规则和转换器决定检测算法的实时替换。 优化方案设计完成后,需要在诸多备选方案中选出最优方案进行实施。本文结合入侵检测的实际情况,采用遗传理论对优化方案进行遴选。遗传理论对更多还原

【Abstract】 With the development of network technology and application, network security becomes increasingly more important. Network-based intrusion detection systems need deal with so many data that false positives and false negatives often occur. So, doing research on the improvement of intrusion detection system performance is not only challenging but also very important.In this paper, the mechanism, methods of and countermeasures to the improvement of intrusion detection system performance are discussed. After that, several improvements to intrusion detection system are given, which reduce false positive rate and false negative rate and enhance detection speed.Previous research mostly focuses on new detection algorithms rather than the optimization of current algorithms. MAAIDS, which is an acronym for mobile agent based adaptive distributed intrusion detection system, is proposed to enhance intrusion detection system performance. We explain the design and implementations of agents,which operate based on their (possibly imperfect) beliefs about the current status of the network and use their plans and capabilities to cope with the real world intrusion detection and automated response problems. MAAIDS can optimize itself by a mobile agent named Improvement Agent. Improvement Agent roves and evaluates the performance of a Data Analysis Agent which the Improvement Agent is in its host. According to the evaluation, the Improvement Agent makes an optimization plan to make the most of the capacity of the Data Analysis Agent. Compared to traditional distributed intrusion detection systems, MAAIDS is a more adaptive and efficient system.As an adaptive system, optimization mechanism is put up here. It includes three parts, optimization judgement mechanism, optimization plan creation mechanism and optimization plan evaluation mechanism. Through the three procedures, an optimization plan is born.The optimization plan includes data packets distribution plan and detection algorithms switch plan. Data packets distribution plan enables most packets are sent to proper analysis components which deal with them in higher efficiency. Detection algorithms switch plan is responsible for analysis components choosing proper detection algorithms in most time. From optimization plans we choose the most excellent plan to execute by genetic algorithm.Here the components of MAAIDS are investigated in the term of agent. Components structures and intelligent attributes are established. We also set up communication protocol and model between components so components can interact with each other when MAAIDS is working. Through interactions, MAAIDS becomes a more intelligent intrusion detection system.更多还原