【作者】 古劲声；

【导师】 蒋铃鸽；

【作者基本信息】 上海交通大学 ， 通信与信息系统， 2010， 硕士

【摘要】 入侵检测技术是网络信息安全领域的一个重要研究分支。随着互联网应用的深化普及,网络黑客频繁出现,攻击方式不断增加,使得网络入侵检测技术成为计算机网络安全研究的热点,并对研究人员提出了更高的要求。入侵检测系统作为一种主动防御系统,是防火墙的重要补充,主要研究以往入侵信号的行为和特征,实现对新的入侵事件做出实时响应。本文把两种其他领域的方法引入到入侵检测领域,使检测的效率以及准确率都得到较大的提高。针对目前入侵检测系统已使用的ARMA等线性检测方法,本文引入了动力学的混沌同步思想,从非线性信号处理角度对网络数据进行检测。在数据建模上使用高斯混合模型(Gaussian mixture model,GMM)结合期望最大化(Expectation Maximization,EM)算法对网络数据流建模,估计GMM的三个参数向量。使用待检测网络数据流参数向量与正常数据流参数向量的差值作为Liu混沌系统的混沌同步控制量,如果待检测数据流存在入侵信号,波形会产生振荡,只要选取适当的判决门限即可准确判定入侵信号。最后利用MIT林肯实验室DARPA数据库对系统进行仿真实验,结果表明,本文提出的方法与ARMA模型相比,对入侵检测具有更高的检测率和更低的误警率。针对基于支持向量机(Support Vector Machine,SVM)等机器学习的非线性检测方法,本文引入了一种广泛用于图像识别领域的方法——相关向量机(Relevance Vector Machine,RVM)算法,对网络信号进行检测。先采用“删除特征”法对DARPA数据集中的42个特征进行评级,筛选出针对不同入侵类型的重要特征和非重要特征,通过仿真实验,证明了只选择重要特征进行RVM分类器的训练和测试,可以有效地提高分类器的检测率,并降低其误警率和减少检测时间。经过使用DARPA数据仿真,使用RVM可以获得与SVM相近的检测效果,但是检测速度相比于SVM大为提高,因此可以获得更高的检测效率。通过分析比较,本文引入的两种方法应用于入侵检测系统以后,均能使检测性能在原有方法的基础上获得一定的提升,并且可以达到实际使用的标准。更多还原

【Abstract】 Intrusion detection technology is an important research branch in the field of network information security. With the widespread use of Internet, network hackers increase frequently which lead to the increasing of attack methods. Network intrusion detection technology has become a hot point of computer network security research. The research staff has to do deepened research work. Intrusion Detection System is an active defense system, and it can make real-time reaction to new intruding events, based on the behavior and feature of former intruding signals. Intrusion Detection System is an important complement to firewalls. This paper presents two new intrusion detection algorithms, which make greatly improved in detection efficiency and detection accuracy.Current intrusion detection systems based on linear ARMA model have been used in many fields. A new detection method based on chaos synchronization has been introduced in this paper. The network flow can be modeled by using GMM combined with EM algorithm, and then the three parameter vectors can be estimated. Take the difference between normal flow data and data for detection as Liu chaos synchronization’s control measure, when it has intrusion signals, the wave plot would be oscillating, which is the feature of intrusion. When selecting the suitable threshold, the intrusion signals can be detected accurately. According to the simulations based on the DARPA datasets of MIT Lincoln Lab and the comparisons with the Intrusion Detection System (IDS) based on autoregressive moving average (ARMA) model, the results show that the detective probabilities are higher and the false alarm rates are lower by using this proposed method.Compared with SVM (Support Vector Machine) non-linear detection methods, this paper introduces RVM (Relevance Vector Machine) algorithm which based on probability theory to do the network signal detection. First, I apply the“feature deduction”method to rate the 42 features in the DARPA dataset, and then select the important features and unimportant features according to different attack types, thus demonstrating that using only the important features in IDS can effectively increase the detection rate and decrease the false alarm rate and detecting time. After simulation, RVM can get a similar detection results as SVM, but the RVM detection speed of could be much higher and can get better detection efficiency.According to the analysis and comparison, this paper proposes two new methods such as chaos synchronization technology and RVM technology in intrusion detection systems. The simulation result shows that both methods in the system model has a better detection result than existing methods and can achieve basic practical criteria.更多还原