【作者】 顾恩超；

【导师】 孙伟平；

【作者基本信息】 华中科技大学 ， 计算机系统结构， 2007， 硕士

【摘要】 随着互联网络的快速发展,网络安全问题日益突出。由于网络入侵手段的多样化,传统的防火墙技术不足以巩固整个网络安全体系,入侵检测技术由此引起了人们越来越多的重视,已经成为计算机安全的一个重要研究领域。传统的入侵检测系统对中小型网络的安全检测发挥了重要的作用,但是随着网络带宽的增加、攻击手段的复杂化,入侵检测系统在可扩展性和检测效率上面临着新的挑战。充分利用分布式技术的特点,提出了一个新型的分布式入侵检测模型,有效地解决了传统的入侵检测模型漏包严重和单点失效问题,并且利用关联分析的方法从日志库中挖掘出新的规则,实现了规则库的自动更新。通过对入侵检测和数据挖掘中的重要技术分析,阐述了入侵检测系统的分类方式及各种检测模型的特点,指出分布式检测模型的优越性;阐述了数据挖掘几种方法,指出了这些方法在入侵检测系统的应用。将数据挖掘中的关联分析技术引入到入侵检测中,提出了一种基于关联分析的分布式入侵检测模型,并采用模块化和层次化的方法对系统进行了设计实现。本模型共分为两大层,分布在不同的主机上,一层为前端的移动检测结点,负责独立入侵检测,另一层为后台集中控制,负责数据关联分析。前端的检测结点既有基于主机的异常检测模型,又有基于网络的误用检测模型,根据网络的规模部署响应的结点数量,有很强的灵活性,这些结点之间又相互协作以发现分布式入侵行为;后台集中控制主机通过对日志库的关联分析发现新的入侵行为和规则。通过实验分析证明,提出的模型具有可扩展能力强的特点,降低了误警率和漏警率,具有较实用的价值。更多还原

【Abstract】 Along with the rapid development of Internet, Network security has become more and more important. As the diversification of network intrusion means, traditional firewall technology is not enough to protect the entire network security system, intrusion detection technology comes forth at the appropriate time and it has become a very important research area in the computer security.Although traditional intrusion detection system plays an important role in the middle and small scale network system, it faces new challenges in the scalability and detection efficiency with the expansion in network bandwidth and the complex means of attack. Using the advantage of distributed technology, a new model of distributed intrusion detection is proposed which can effectively solve the problems of lose packages and single-point failure in traditional model, using association analysis to mining new rules from log database, realize that automatically update the rule database.Along with the key technology in intrusion detection and data mining is analyzed, how to classify intrusion detection system and each model’s characteristics is expounded behind, and the advantage of distributed detection model is pointed out; some methods of data mining are expounded and the application of these methods in intrusion detection systems are pointed out.Through introducing association analysis technology in the data mining into intrusion detection, a model of distributed intrusion detection based on association analysis is pointed out; the model is designed with hierarchical and modular. Two layers have been divided in the model: one layer is front-end node for independent detection, another level of background centralized control for data association analysis. Front-end node not only has host-based anomaly detection model, but also network-based misuse detection model. These nodes are flexible; they cooperate mutually to discover distributed intrusion, back-end is used to find new rules and intrusions from log database.The experiment result shows that, proposed model has a good scalability and effectually decrease false alarms rate and missed alarms rate.更多还原