离群点挖掘对Snort系统的改进研究

发布时间：2018-04-14 20:19

本文选题：入侵检测 + Snort　；参考：《河北科技大学》2014年硕士论文

【摘要】：入侵检测可以分为误用检测和异常检测,Snort系统作为典型的误用入侵检测系统采用特征匹配的网络入侵检测系统,具有开放源代码和采用插件机制的特征。Snort采用的入侵特征匹配方法为较低层次的网络数据包特征码匹配,这种描述入侵特征方式比较复杂,不容易理解。入侵检测数据集KDD99的属性集对各种入侵特征进行了比较好的抽象概括,利用KDD99数据集的属性集进行入侵检测具有更好的可理解性,更简洁,效率更高,能更准确的检测到各种入侵类型。本研究通过对入侵和特征属性进行分类分析并对属性集的各个属性计算信息增益,按信息增益由大到小排序,选择信息增益较大的部分属性进行改进的Snort系统入侵检测。Snort系统具有误用入侵检测系统所具有的较高的检测效率优点,但也存在无法检测出未知入侵类型的弱点。本研究设计了一种简单的基于偏差的离群点检测方法,并将之应用在Snort系统中,使改进的Snort系统具有了对未定义入侵特征的入侵类型的检测能力。本研究在Snort系统的检测流程的基础上设计了一种新的入侵检测流程,合理的划分离线检测部分与在线检测部分,将Snort系统所采用的特征码匹配方式作为在线检测部分,将设计的离群点检测方法作为离线检测部分,保证了在增强入侵检测检测效果的同时不降低Snort系统的检测效率。最后通过实验验证了设计的基于偏差的离群点检测方法应用在入侵检测系统中能有效的检测到未定义入侵特征的入侵类型,可以将之应用在对Snort系统的改进以增强Snort系统的检测效果。
[Abstract]:Intrusion detection can be divided into misuse detection and anomaly detection snort system as a typical misuse intrusion detection system using feature matching network intrusion detection system.The intrusion feature matching method used by Snort, which has open source code and plug-in mechanism, is a low level network packet signature matching method, which describes the intrusion feature in a more complex way and is not easy to understand.The attribute set of intrusion detection data set (KDD99) has a better abstract generalization of various intrusion features. Using the attribute set of KDD99 data set to carry out intrusion detection has better comprehensibility, more conciseness and higher efficiency.More accurate detection of various types of intrusion.In this study, the intrusion and feature attributes are classified and analyzed, and the information gain is calculated for each attribute of the attribute set, and the information gain is sorted according to the information gain from large to small.The improved Snort intrusion detection system with higher information gain has the advantages of high detection efficiency of misuse intrusion detection system, but it also has the weakness that unknown intrusion type can not be detected.In this paper, a simple outlier detection method based on deviation is designed and applied to Snort system. The improved Snort system has the ability to detect intrusion types with undefined intrusion features.Based on the detection flow of Snort system, a new intrusion detection process is designed in this paper. The off-line detection part and the on-line detection part are reasonably divided. The signature matching method used in the Snort system is taken as the on-line detection part.The outlier detection method is used as the part of offline detection, which ensures that the detection efficiency of Snort system is not reduced while the effect of intrusion detection is enhanced.Finally, it is verified by experiments that the designed outlier detection method based on deviation can effectively detect the intrusion types with undefined intrusion characteristics in the intrusion detection system.It can be applied to the improvement of Snort system to enhance the detection effect of Snort system.
【学位授予单位】：河北科技大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08;TP311.13

【参考文献】