【作者】 曹传林；

【导师】 李永忠；

【作者基本信息】 江苏科技大学 ， 计算机软件与理论， 2011， 硕士

【摘要】 随着计算机网络的结构日趋复杂、规模快速增长,非法入侵不断增多。传统的被动安全防御技术已明显不能满足需要。入侵检测技术作为新一代的安全防御措施,构建了主动的信息安全保障,有效地弥补了传统安全防御技术的不足。协议分析技术充分利用网络协议探测攻击的存在,大大减少检测过程的计算量,并提高了检测的准确率。但协议分析是基于误用的入侵检测技术,无法检测未知攻击。人工免疫系统保护机体免受各种侵害的机理与入侵检测系统有着天然的相似之处,而它所具有的自适应性、健壮性、分布性等特性正是计算机安全系统所不具有的。因此,基于免疫原理的入侵检测技术研究正成为近几年入侵检测领域研究的热点。本文将免疫原理与协议分析技术相结合,提出了一种改进的基于协议分析和免疫原理的入侵检测模型,详细设计了数据捕获模块、协议分析模块、检测模块和响应模块。在检测器生成方面,提出了一种改进的否定选择算法,可以消除相互匹配的检测器存在,同时提高未知入侵的检测能力。对免疫算法中抗体的组成结构进行了改进,除了网络数据的基本特征之外,还考虑了基于时间的统计型特征,以便更好地反映攻击数据包之间的内在联系。在检测器编码方面,考虑到正常行为与异常行为之间界限的模糊性,提出了利用模糊概念的编码方案,极大程度的缩小了检测器编码的长度。选用DARPA 1999入侵检测评估计划提供的数据集进行仿真实验。其中,选取第一周的数据集为训练数据,通过训练生成一定数目的成熟检测器;选取第五周的数据用作测试数据,其中包括若干探测攻击和拒绝服务攻击。实验结果表明:本文所提模型和方法在低误报率的前提下具有良好的检测率。更多还原

【Abstract】 With the increasing complexity of network structure and rapid growth of network scale, the illegal invasion has been increasing continuously. The traditional passive defence technology cannot maintain the network security effectively. As a new type of security defence technique, intrusion detection system constructs the active information security defence, makes up for the deficiency of traditional passive defence technology effectively.The protocol analysis method takes good advantage of the regularity of network protocol to detect attack, so the calculation amount can be reduced greatly and the accuracy of detection can be improved. But the protocol analysis method is based on misuse intrusion detection technique, it cannot detect the unkonwn attack. Artificial immune system protects themselves as is very similar with the intrusion detection system. It has adaptability, robust, distribution and so on characteristics which are our present computer security system doesn’t have. Therefore, intrusion detection technology based on immune principles is one of the hot research areas in intrusion detection in recent years.Immune principle and protocol analysis are combined in this thesis. An improved intrusion detection modul based on immune principle and protocol analysis is proposed. Collecting data module, protocol analysis module, detection module and response module are designed in detail. An improved negative selection algorithm is presented to remove the matched detector and enhance the capability for unknown invasion detection. The structure of antibodg in the immune algorithm is improved. In addition to the basic characteristics of network data, statistical characteristics of time-based are also considered to better reflect the internal evidence between attack packet. For detector coding, considering the fuzzy bourn of normal behavior and abnormal behavior, a coding scheme based on fuzzy concept is put forward, through this coding scheme, the code length of detector could be reduced.We use the data set supplied by DARPA 1999 Intrusion Detection Evaluation Plan as the network flow samples. The data of 1st week is choosed as the training data, generated a number of mature detectors by training, and the data of 5ve week which includes some DOS and Probing attacks will be detected by this intrusion detection system model. The result of the experiment indicates that this model and method have the well detection rate with low false positive rate.更多还原