【作者】 林龙涛；

【导师】 贾小珠；

【作者基本信息】 青岛大学 ， 计算机应用技术， 2007， 硕士

【摘要】 入侵检测系统是一种软件与硬件的结合，它通过分析网络或主机上发生的事件来发现其中的安全隐患。随着近几年网络攻击事故频频出现，影响范围越来越广泛，入侵检测系统得到越来越多的重视，成为网络安全方案的重要组成部分。基于网络的入侵检测系统以网络报文作为原始数据源，实时地分析网络上的通信。与基于主机的入侵检测相比，基于网络的入侵检测系统已经成为入侵检测系统的主流。但是随着网络带宽飞速增长，基于网络的入侵检测系统面临许多的困难。本文设计了一种高速网络环境下的网络入侵检测系统。采用新的设计，克服了以往系统在高速网络环境下的缺陷，提高了入侵检测的速度。本文将分层抽样理论应用于网络入侵检测系统，系统主要分成异常检测模块和抽样模块两个部分。异常检测模块的检测引擎部分采用基于孤立点发现和字节分布检测的异常检测模型，通过统计网络数据包负载字段中的字节分布规律，得到数据包异常的度量，将其作为抽样模块中的分层特征参数。抽样模块中，根据得到的分层抽样参数抽取出高速网络海量数据包中有价值的样本。通过对样本进行检测反映总体的特征。本文在对入侵检测系统进行概述之后，着重阐述了异常检测模块中的孤立点发现方法和字节分布检测方法，以及抽样模块中的分层策略和层内抽样策略。在此基础上，设计并程序实现了一个完整的入侵检测系统原型，使用MIT林肯实验室开发的DARPA 1999年IDS评测数据集对抽样算法和异常检测算法的性能进行验证和分析，实验表明本方法可以有效地提高检测速度。更多还原

【Abstract】 Intrusion detection systems (IDS) are combinations of software and hardware systems that automate theprocess of monitoring the events occurring in a computer system or network, analyzing them for signs ofsecurity problems. As network attacks have increased in number and severity over the past few years,intrusion detection systems have become a necessary addition to the security infrastructure of mostorganizations.Network-based intrusion detection systems(NIDS) uses raw network packets as the data source, andanalyses all traffic in real-time as it travels across the network. Currently, IDS focuses on Network-basedIDS, instead of Host based IDS. NIDS has much difficulty with the rapid development of networkbandwidth. This paper designs a network intrusion detection system for high-speed network. It implementssome new designs so as to overcome faults of pass systems and detects attacks more accurately anefficientlyThis paper uses the theory of Stratified Sampling into IDS, which can be divided into two parts:Anomalous Intrusion Detection Module and Sampling Module. Anomalous Intrusion Detection Moduleadopts the detecting model based on Outlier Analysis and Character Distribution algorithm. It firstcomputes the character distribution in network packets payload and leads to an anomalous scale, whichcan be a parameter in Sampling Module for guiding stratifying. In Sampling Module, filter out thevaluable sample from high-speed network packets according to the anomalous scale got before. And thenin Intrusion Detection Module, detect the sample for reflecting the total feature. After the overview ofintrusion detection system, this paper mainly describes Outlier Analysis and Character Distributionalgorithm in Anomalous Intrusion Detection Module and stratified strategy and inside sampling method inSampling Module. Based on those this paper designs and implements a real Intrusion Detection System.Results show that the system can accelerate detecting velocity effectively testing by DARPA 1999 IDSevaluation dataset.更多还原