节点文献
基于聚类的入侵检测模型及算法研究
Research on Intrusion Detection Models and Methods Based on Clustering
【作者】 侯瀚雨;
【作者基本信息】 湖南大学 , 软件工程, 2010, 硕士
【摘要】 随着网络技术的飞速发展和网络应用范围的不断扩大,对网络的各类攻击与破坏与日俱增。在网络安全问题日益突出的今天,如何迅速有效地发现各种入侵行为,对于保证系统和网络资源的安全显得十分重要。传统的防火墙、数据加密等静态防御方式已很难胜任网络安全的需要,而入侵检测系统是一种积极主动的安全防护技术,它是信息安全保护体系结构中的一个重要组成部分,针对入侵检测方法和技术的研究已经引起人们越来越多的重视。入侵检测技术通过对入侵行为的过程与特征的研究,使安全系统对入侵事件和入侵过程能做出实时响应,常用检测方法一般可分为两种:误用入侵检测和异常入侵检测。误用检测是指运用已知攻击方法,根据已定义好的入侵模式,通过判断这些入侵模式是否出现来检测是否存在这些入侵行为,其优点是可以准确地检测已知的入侵行为,缺点是不能检测未知的入侵行为;而在异常入侵检测中,假定所有入侵行为都是与正常行为不同的,’这样,如果建立系统正常行为的轨迹,那么理论上可以把所有与正常轨迹不同的系统状态视为可疑企图。数据挖掘技术可被用来进行特征构造和检测,聚类分析作为数据挖掘中的一个热点研究领域,它可通过对大量数据的分析来对数据对象进行自动归类,适用于异常检测。为了克服目前已有入侵检测方法的不足,本文重点研究如何把聚类技术应用于入侵检测领域,所做工作主要包括以下二个方面:(1)深入研究了入侵检测和聚类的相关理论;(2)基于质心Voronoi图,提出了一种新的异常检测算法。在该算法中,首先利用质心Voronoi图来对样本数据进行聚类,然后基于聚类结果,计算出各个样本点的点密度,并以此来判断样本数据是否异常。最后,通过基于KDD Cup 1999数据集的实验测试,仿真结果表明,新算法在具有较低的误报率同时,也具有良好的检测率。
【Abstract】 With the fast development of the network technologies and continuous extension of the network application scale, various network attacks increase day by day. Considering the currently severe network security problem, how to discover and find all kinds of the intrusions rapidly and effectively becomes very important for ensuring the security of systems and network recourses. These traditional static protection methods such as firewall and data encryption are difficult to satisfy the need of network security, but since the intrusion detection technology is a kind of active and initiative security protection technology and it is an important part of information security protection system structure, then the study and research on the intrusion detection technologies has attracted more and more attention.Through the study of the process and characteristics of the intrusion behaviors, the intrusion detection technologies can tell the security system to make real-time response to any intrusions and the process. Usually there are two kinds of detection methods, misuse intrusion detection and anomaly intrusion detection. the misuse intrusion detection uses known attack methods based on defined intrusion profiles to judge whether there is any these defined intrusion profiles in the intrusions. The advantage of misuse intrusion detection is that any known intrusion behaviors can be detected precisely; while the disadvantage is unknown intrusion behaviors cannot be detected. However, in the method of anomaly intrusion detction, all intrusion behaviors are supposed to be different from normal behaviors, so if normal behaviors are established, theoretically, all different behaviors are considered to be suspicious. Data mining technology can be used for characteristic construction and detection, and cluster analysis is one hot research field in data mining, which can analyze a great volume of data to classify objects automatically, and is suitable for exceptional intrusion detection.To make up the disadvantage of known detection methods, this article focuses on how to apply cluster technology in intrusion detection field and the major contribution includes:(1) Research deeply on the theories about intrusion detection and clustering.(2) Based on the Centroidal Voronoi Diagram, a new algorithm of anomaly detection is proposed in this paper, in which, the Centroidal Voronoi Diagram is applied in the clustering of sample data first, and then, the point density is computed out according to the results of clustering for each sample point, which is used to determine that whether the sample data is abnormal or not. Finally, a series of experiments on well known KDD Cup 1999 dataset demonstrate that our new algorithm has low false positive rate while ensuring high detection rate.
【Key words】 Network Security; Intrusion Detection; Centroidal Voronoi Diagram; Data mining; Clustering;