数据挖掘在入侵检测中的应用研究

【作者】 钱昱；

【导师】 郑诚；

【作者基本信息】 安徽大学 ， 计算机应用技术， 2004， 硕士

【摘要】 入侵检测作为一种主动的信息安全保障措施，有效地弥补了传统安全防护技术的缺陷。通过构建动态的安全循环，可以最大限度地提高系统的安全保障能力，减少安全威胁对系统所造成的危害。 入侵检测技术实质上归结为安全审计数据的处理。然而，操作系统的日益复杂化的网络数据流量的急剧膨胀，导致了安全审计数据同样以惊人的速度递增。使用数据挖掘技术从审计数据中提取出有利于进行判断的比较的特征模型，已是入侵检测研究的热点问题，具有重大的理论意义和实用价值。 本文针对数据挖掘在入侵检测中的应用进行了研究工作。在第一章的绪论部分对数据挖掘技术、入侵检测系统进行了综述，之后概述了本文各章的研究内容，说明了本文的立题依据和意义。在第二章我介绍了数据挖掘及其相关问题，包括数据挖掘的过程、方法、分类和应用等。第三章是入侵检测及其相关问题，包括系统模块、分类、入侵检测技术及其研究现状。为后继章节的进一步展开和深入讨论奠定了基础。 在第四章中我研究了Markov链在异常检测中的应用，此方法能在用户缺乏网络安全的领域知识的情况下，识别系统的异常行为，对于实际应用有着十分重要的意义。并从单步和多步Markov链两个方面给出了实验结果，证明了其应用于异常检测的可行性。 在第五章中我集中介绍了关联规则在入侵检测中的应用。首先我研究了关联规则的各种实用算法及其改进算法，之后为了解决将关联规则算法应用于入侵检测系统提高系统检测率的同时也增加系统误报率的问题，论文给出加权关联规则详细的算法说明，并将此方法应用于入侵检测。 第六章是序列模式在异常检测中的应用。首先介绍了国内外相关研究的现状，之后给出了AprioriAll算法和AprioriSome算法，并研究比较了两种算法的优缺点。最后给出了算法应用于异常检测的实验结果，证明了该方法的可行性。 第七章是全文的总结和研究工作的展望。 论文主要作了以下工作： 数据挖掘l’l入浸十气则中的I征用研究 (l)在应用Marko’’链方面，深入研究了Markov模型在安全领域知识缺 乏情况下的异常行为的检测。并结合实验论证了其应用于异常检测的可行 性。 (2)在关联规则方面，论文利用DARPA于1 998年提供的数据挖掘出用户正 常使用的规则模式，以此来检测异常行为。实验证明了其可行性。为了解 决将关联规则算法应用于入侵检测系统提高系统检测率的同时也增加系统 误报率的问题，论文把加权关联规则算法应用于入侵检测系统，此方法能在 一定程度上提高了入侵检测的检测率也限制了无趣规则的产生，并降低了误 报率。最后结合实验论证了方法的可行性。 (3)在序列模式方面，论文给出了一种基于序列模式挖掘的异常检测方法。 此方法应用于连接会话记录以及基于Unix的主机非常有效，本文对9个Un玫 用户的实验表明了此方法的可行性。更多还原

【Abstract】 As a kind of active measure of Information Assurance, Intrusion Detection acts as the effective complement to traditional protection techniques. The dynamic security circle, including policy, protection, detection and response, can greatly improve the assurance ability of information systems and reduce the extent of security threats.In fact, intrusion detection technology can be regarded as the analyze process of network’s audit data. With the development of operating system and network technology, the network’s audit data has increased sharply. So in intrusion detection, we need study efficacious technology to deal with audit data. In the current research, we use data mining technology to draw characteristic models from tremendous amount of audit data. The application of data mining technology has become one of the most important researches of intrusion detection.The paper makes some researches of the application of data mining to intrusion detection system. It summarizes data mining technologies and intrusion detection systems in the first chapter, and subsequently the main content which the later chapters refer to, and illustrate the foundation and significance of the thesis. In the second and third chapters it introduces data mining and related problems, including the process, method, classification and application of data mining. It introduces intrusion detection system. The introduction includes system model, classification and related technology. The two chapters is the foundation of the further research of the later chapters.The study on application of Markov chain to the anomaly detection is in the fourth chapter. The method can identify the anomaly behavior in the condition that the users possess little knowledge of network security. There is a very important significance applying the method to the practice. The chapterindicates the experimental result of the single-step Markov and multi-steps Markov. The experiment shows the feasibility of the method.In the fifth chapter it intensively introduces the application of association rules to intrusion detection. At first, a variety of applied algorithms and improved algorithms are studied. Subsequently, it in the paper gives weighted association rules algorithm in order to solve the problem of improving detection rate but increasing false positive rate when association rules are applied to the detection system. The method can to some extent improve detection rate of the intrusion detection system, confine the produce of uninteresting rules, and decrease false positive rate. Finally the feasibility of the method through the experiment is proved.In the sixth chapter the application of sequence models to anomaly detection is studied. To begin with, it summarizes the present researches outside and inside our country. Subsequently, it gives the description of the algorithm AprioriAll and AprioriSome, and indicates the difference between two algorithms and their advantages and disadvantages. At last, the paper shows the experimental result and proves the feasibility of the method.In the seventh chapter it summarizes the whole paper and make a prospect of our research.Main works of the paper:(1) In terms of the application of Markov chain, Markov chain model used for anomaly detection is deeply discussed. The experiments indicate that the model can detect anomaly system behavior under the condition of poor system security know ledge.(2) In terms of the association rules, according to the normal behavior models mined from the training data of DARPA in 1998, the experiments indicate that the method can detect anomaly users behavior. Subsequently, weighted association rules algorithm is given in order to solve the problem of improving detection rate butincreasing false positive rate when association rules are applied to the detection system. The method can to some extent improve detection rate of the intrusion detection system, confine the produce of uninteresting rules, and decrease false更多还原