

The Application and Research of Intrusion Detection Technique Based on Immune Algorithm and Fuzzy Theory

【作者】 宋建伟

【导师】 裴振奎;

【作者基本信息】 中国石油大学 , 计算机软件与理论, 2008, 硕士

【摘要】 当前,入侵检测系统作为网络安全的关键技术,已经开始在各种不同的环境中发挥作用。由于免疫系统和入侵检测系统有着许多相似之处,基于免疫学的入侵检测系统正逐渐成为入侵检测领域的研究热点。在概述了入侵检测系统中关键技术的基础上,介绍了免疫原理及应用于入侵检测的各种免疫算法,分析了模糊理论知识,总结了人工免疫在入侵检测系统中应用的关键技术及所存在的问题。针对目前免疫入侵检测模型中用于定义自体集的纯净数据集在获取上非常困难,并且使用传统的检测规则检测样本模式时忽略了自体模式和异体模式之间的模糊界限,而且利用传统的否定选择算法在生成检测器和检测匹配过程中存在计算复杂度高和效率低下的缺点,提出了一种新的免疫入侵检测方式——将免疫方法和模糊知识相结合的分析模型。在待检测数据流进入检测器之前,运用模糊c-均值聚类技术进行数据的预处理工作,将得到的纯净的正常模式用来训练检测器,并过滤掉,以减少后期的匹配工作;并将含有大量异常的数据进入到下一步免疫检测模型中。又在第二步的过程中,重点讨论了模糊检测规则的重要性,研究了其具体的表示方式,并提出利用免疫算法的优化搜索性能来进化模糊检测器的方法。最后通过实验证明,与传统的检测方法相比,提出的新模型在获取纯净的训练数据方面存在较大的优势,并且大大减少了检测器与网络数据的整体匹配计算次数,在很大程度上减轻了系统的负荷;而且所生成的模糊检测器表示方法简洁,能用较少的模式覆盖较多的异常空间,降低了检测规则的脆弱性,整体检测效果较好。

【Abstract】 The intrusion detection system which acts as the pivotal technique in current network security has been playing an important role in various fields. As is well known to all,the immune system is similar to the intrusion detection system in many aspects. So the intrusion detection system which bases on the immunology has become the research hotspot.Summarize the pivotal techniques in intrusion detection system,research the immune theory and various immune algorithms,analyse the fuzzy theory,and sum up the application of immunology and existent problems. Some problems cannot be ignored,such as that it is so difficult to obtain the pure data sets to define self modes,and the traditional detection rules neglect the fuzzy boundary of normals and abnormals,and using the traditional negative selection algorithm results in the complex calculation and lower efficiency when generating the detections and matching with the modes. Aimming at these flaws,it is presented a new intrusion detection mode——an analyzing mode based on the immunology and fuzzy knowledges.Before the network data stream entering the detections,use fuzzy c-means clustering technique to pretreat the data and obtain the pure self modes with which to train detections. And then throw them away. This method can reduce the next matching work. And the next step is that using immune detection modes to monitor the data sets which include lots of abnormals. The importance of fuzzy detection rules will be emphasized,and its expression method will be deeply researched. And it is presented to use the good searching performance of immune algorithm to generate fuzzy-detectors. Finally,the experiments prove that using the presented detection method has a powerful advantage in obtaining pure training data,and it could reduce the detectors and data’s matching computation enormously,so the load of system has been eased greatly. And the generated fuzzy rules express the self and nonself very compactly. It could cover more abnormals with less detection modes. And the fuzzy rules could reduce the frangibility of detectors greatly. On all accounts,the presented method have a better detection effect.
