节点文献
基于数据挖掘的分布式网络入侵协同检测系统研究及实现
The Research and Realization of Distributed Network Intrusion Cooperation Detection System Based on Data Mining
【作者】 傅涛;
【导师】 孙亚民;
【作者基本信息】 南京理工大学 , 计算机网络, 2008, 博士
【摘要】 随着网络入侵形式的不断变化与多样性,传统的网络安全技术与设备已不能充分抵御网络攻击。例如,目前推出的商用分布式入侵检测系统基本是采用基于已知入侵行为规则的匹配技术,检测引擎分布在需要监控的网络中或主机上,独立进行入侵检测,入侵检测系统中心管理控制平台仅负责平台配置、检测引擎管理和各检测引擎的检测结果显示,对各检测引擎的检测数据缺乏协同分析。同时网络入侵检测系统与防火墙、防病毒软件等之间也是单兵作战,对复杂的攻击行为难以做出正确的判断。异常入侵检测技术根据使用者的行为或资源使用情况判断是否存在入侵行为,通用性较强,缺陷是误检率太高。误用检测运用已知攻击方法,根据已定义好的入侵模式,通过判断这些入侵模式是否出现来检测攻击,检测准确度高,但系统依赖性太强,检测范围受已知知识的局限。将数据挖掘技术应用到入侵检测系统是目前入侵检测研究的重要方向,论文讨论了基于数据挖掘的入侵检测主体技术,指出了联合使用几种数据挖掘方法和将数据挖掘与传统的误用检测、异常检测协是一个重要的研究方向。论文提出了改进的FP-Growth的关联分析算法、基于分箱统计的FCM网络入侵检测技术和基于免疫学原理的混合入侵检测技术。改进的FP-Growth算法引入了聚合链的单链表结构,每个节点只保留指向父节点的指针,节省了树空间,有效解决了数据挖掘速度问题,提高了入侵检测系统的执行效率和规则库的准确度;基于分箱统计的FCM网络入侵检测技术不需要频繁更新聚类中心,同时耗时问题也得到较好的改善,将特征匹配与基于分箱的FCM算法相结合,能较好的发现新的攻击类型,便于检测知识库的更新;基于免疫学原理的混合入侵检测技术充分发挥了免疫系统在实现过程中表现出的识别、学习、记忆、多样性、自适应、容错及分布式检测等复杂的信息处理能力,具有良好的应用前景。论文分析了网络入侵检测技术在检测性能、系统的健壮性与自适应性等方面存在的主要问题,讨论了网络入侵检测技术的发展趋势。针对目前商用入侵检测系统协同分析几乎空缺、规则更新滞后、检测技术与入侵手段变化不适应的现状,提出了基于数据挖掘的分布式网络入侵协同检测系统(以下简称“协同检测系统”)模型。该模型从数据采集协同、数据分析协同和系统响应协同三个方面实现了入侵检测系统的结构协作、功能协作、动作协作和处理协作,有效增强了入侵检测系统的检测能力。论文详细讨论了“协同检测系统”的检测引擎设计、通信模块设计和系统协同设计。检测引擎是系统的主体,涉及到网络数据包捕获、数据解析、入侵检测等功能。针对高速网络环境下信息量大、实时性要求高,使用Libpcap捕包易造成掉包与瘫痪的现状,提出了内存映射与半轮询(NAPI)捕包新技术,有效减少了系统内核向用户空间的内存拷贝,避免了重负载情况下的中断活锁,确保了高速网络环境下数据包采集的实时性与准确性。数据解协首先对链路层包头、IP层包头、传输层包头、应用层协议四部分进行解析,然后对数据作预处理。在此基础上,运用改进的FP-Growth算法对网络数据进行挖掘,检测子模块解释并评估数据挖掘模块提取的模式,结果送至反馈端口。通信模块实现了数据采集解析器与数据挖掘检测器之间、检测引擎和报警优化器之间、报警优化器与中心控制平台之间的有效通信,给出有关函数。系统协同设计是本系统的特色。本文从入侵检测系统内部数据采集协同、入侵检测系统与漏洞扫描系统协同、入侵检测系统与防病毒系统协同、检测引擎分析协同、不同安全系统分析协同、IDS与防病毒系统协同、IDS与交换机协同、IDS与防火墙协同等方面,科学地给出了数据采集协同、数据分析协同、系统响应协同的含义、原理、方法与实现过程。系统离线实验和仿真实验表明:综合运用本文提出的三种算法可以有效地提高检测效率,降低误报率和漏报率。本文开发的“协同检测系统”可以稳定地工作在以太网络环境下,能够及时发现入侵行为,及时正确记录攻击的详细信息,具备了良好的网络入侵检测性能。
【Abstract】 With the changing and concealment of the intrusion forms, the traditional security techniques and devices of network can’t prevent network intrusion. For instance, actual commercial intrusion detection system almost adopts the matching technology which is based on the known rules of intrusion. The engines are on the network or computers need to be monitored, they detect network intrusion independently. The central management and control platform of IDS only take charge of platform configuration, detection engine management and detection results’ show of every detection engine. But it’s lack of the cooperation analysis of the detection data of every detection engine. IDS, firewall and anti-virus software work independently, it’s difficult to make the right judgement to the complicated attacks.Anomaly intrusion detection technology determine whether there is intrusion based on user’s behavior or the situation of resources using, which is more common but the rate of mistaken detection is too high. Misuse detection uses known attacks and the defined intrusion models, detect attacks according to the judgement of appearance of the intrusion models. This method has high accuracy, but the system is too dependent, the detection range is limited to the known knowledge.The application of data mining in the intrusion detection system is an important direction of intrusion detection research. The paper gives a detailed discussion about intrusion detection agents based on data mining. It presents an important research trend of combining more data mining means and using data mining with misuse detection and Anomaly detection.The paper presents the improved association analysis algorithm based on FP-Growth, FCM network intrusion detection technologies based on statistical binning, Immunological mix intrusion detection technologies. The improved FP-Growth algorithm introduced a kind of single linked lists named aggregative chain. Only the pointers to point its children at each node are kept to save the space of tree. The algorithm increases the speed of mining speed, improves the execution efficiency of IDS and the accuracy of rules. FCM network intrusion detection technologies based on statistical binning need not update the clustering center frequently, and not costs time. Combining character matching with FCM based on statistical binning can find the new intrusion and update the detection rules. Immunologic system represents many complicated information processing abilities such as identification, study, memory, variety, adaptability, fault tolerance and distributed detection. Immunological mix intrusion detection technologies bring these abilities into full play, have great application foreground.The thesis analyzes the main problems on the detection performance, the system’s robustness and adaptability of the network intrusion detection technology, then discusses its trends. The current commercial intrusion detection system almost does nothing in the data analysis cooperation, the update of rules lags, the detection technology and the intrusion changing don’t match. According to the status quo, the distributed network intrusion cooperation detection system model based on data mining (hereinafter referred to as "cooperation detection system") is proposed. The model achieves the cooperation of the intrusion detection system on structure, function, action and disposing by using data collection cooperation, data analysis cooperation and system response cooperation, which strongly improves the detection capabilities of the intrusion detection system.The present paper gives a detailed discussion about the design of detection engine, communication module and system cooperation design in co-stimulate intrusion detection system. Detection engine which involve packet capture, data analysis and intrusion detection is the principal part of the system. Using Libpcap to capture packet may bring the status of losing packet and system collapse in high-speed network which has informative data and in real time. The new capture packet technique the paper given is memory-mapped and Napi. The new technique effectively reduceds the memory copy from system kernel to user space and avoids the Interrupt Livelock in the situation of heavy Load. It insures the real time and accuracy the situation of high-speed network.Data Resolution first analysis the packet head of data-link layer, IP layer, transport layer and the protocol of application layers, and then do the data pretreatment; On this basis we use improved FP-Growth algorithm to mine net data, detect sub module explanation and assesses the mode which mined by data mining module, then send the data to feedback port. Communication module give the communication mode and related functions between data acquisition parser and data miner, detection engine and alarm Optimizer, alarm Optimizer and centre control platform.System cooperation design is the characteristic of this system. In this paper, it give the meaning, principle, method and implementation process in most aspects, such as data mining co-stimulate in intrusion detection system, co-stimulate in intrusion detection system and Vulnerability scanner system, co-stimulate in IDS and antivirus system, co-stimulate in IDS and switching, IDS and firewall, and so on,Offline and simulation system experiments show that the comprehensive application of the three algorithms can effectively improve the detection efficiency and reduce the rate of misinformed and the rate of underreporting. The co-stimulate intrusion detection system which has good intrusion detection performance can stably work in the situation of intranet, detect the intrusion and record the detailed information of attack.
【Key words】 intrusion detection system; distribution; cooperation; data mining;