【作者】 赵鹏；

【导师】 张华忠；

【作者基本信息】 山东大学 ， 计算机应用技术， 2008， 硕士

【摘要】 计算机网络的广泛应用和黑客攻击的频繁出现使得人们更加关注网络安全问题。入侵检测技术作为保障计算机和网络安全的重要手段,成为近年来网络安全领域的研究热点。随着攻击手段的复杂化和网络规模的发展,基于网络的入侵检测越来越发挥更大的作用。网络入侵检测系统通过执行监测、预警、识别、决策和响应等一系列任务,完成网络对抗过程的重要功能,已经成为网络安全系统工程的重要组成部分。目前,网络异常入侵检测仍然是入侵检测研究领域的热点和难点,存在着检测率不够高、检测范围不够全面、检测效率不能满足大规模高速网络实时检测的要求等问题。在无人指导的网络异常入侵检测领域,基于D-S证据理论的网络异常入侵检测技术已经吸引了国内外诸多学者的研究,但大都停留在应用经典的D-S证据理论对网络特征数据进行融合;然而网络数据不可避免地存在冲突,经典D-S证据理论对存在严重冲突的证据进行融合时却不能得到合理的结果,因此会导致检测系统的误报率和漏报率较高等问题。本文结合经典的Dempster-Shafer证据理论和Fabio等提出的扩展D-S证据融合理论,提出一种证据融合算法EDS。该算法可实时地对大量存在严重冲突的证据进行融合并能够得到更加合理的结论;在两互斥目标的辨识框架下,该算法的时间复杂度仅为O(n),具有较高的融合效率,可应用于网络实时检测。鉴于此,本文将EDS融合算法应用于网络入侵检测,针对目前网络异常检测的不足,提出一种实时网络异常入侵检测模型。该模型对存在严重冲突的网络数据进行融合后能够获得较为合理的结果,从而降低模型系统的误报率和漏报率;同时该模型检测算法效率较高,可适用于大规模网络实时检测,并具有较大的检测范围。该模型属于无人指导的网络异常检测范畴,利用统计特征的期望偏方差确定基本概率分配函数,使用显著特征粗集分类机制降低融合严重冲突数据的频率来提高特征学习的准确性;同时采用数据区分度机制来实时反映网络流量特征,以提高模型系统的检测率。最后通过UCI WBCD小维数据集和KDD Cupl999多维数据集的实验表明,该模型检测引擎基于有限维数据特征就能够在较低算法复杂度和较低误报率的前提下达到较高的检测率,具有实时检测的能力和良好的可扩展性,并对新型攻击有一定的免疫力。更多还原

【Abstract】 With the development of computer networks and the popularization of their applications, more attentions have been paid on the computer sercurity problems. As an important tool assuring computer and networks security, intrusion detection technology has become a hot researching point in recent years. With the complexity of the attacks and the development of networks scale, network-based intrusion detection plays increasingly a more important role in detecting intrusions. Network intrusion detection system (Abbr. NIDS), which performs a series of tasks including monitoring, early warning, identification, decision-making and response, can complete the important functions of network system confrontation. It is an important component of network security systematic project.At present, network anomaly intrusion detection is still of active and difficult field in the research of intrusion detection. However, it has not been widely used in practice due to some issues, which includes lower detecting rate, limited detecting range and lack of performing real-time intrusion detection in large and high speed networks. Network anomaly intrusion detection technology based on Dempster-Shafer(Abbr. D-S) evidence theory, which is of unsupervised network intrusion detection, has attracted lots of researchers. But most of them stay in the application of the classical D-S evidence theory which indeed can not make better fusions for some severely conflicted networks data so that it results in higher false alarm rate and higher omitted alarm rate.Based on the classical D-S evidence theory and an extended D-S evidence fusion theory proposed by Fabio et al, this paper presents a novel evidence fusion algorithm named EDS which can finish better evidence fusions for severely conflicted data so as to get more reasonable results. The time complexity of EDS is only of O(n) so that it can be applied to real-time detection because of its short excution cycle. Following this EDS is imported into NIDS and then a real-time NEDS model is advanced based on it. The Model can get more reasonable conclusions for severely conflicted networks data so that it reduces false alarm rate and omitted alarm rate. Besides it has a wide range of intrusion detection and can be adapted for real-time network detection. It is of unsupervised network anomaly detector which defines the probability assignment function based on the deviation from expected variance of statistical characteristics. In addition, a rough sets’classification mechanism of light-remarkable features is produced to ruduce the frequency of the severely conflicted network data and to enhance the accuracy of feature learning process. A self-adaptive mechanism based on the data distinction is also proposed to reflect the real status of networks data flows.Finally, according to the result of the experiments with UCI WBCD few-dimensional dataset and KDD Cup1999 multi -dimensional dataset, it shows that the detecting engine of the model can achive higher detection rate with several selected features under the premise of lower computational complexity and lower false alarm rate. Furthermore, it can be applied to real-time detection and immune from new pattern intrusions.更多还原