基于数据挖掘的网络入侵检测关键技术研究

发布时间：2018-04-19 22:22

本文选题：入侵检测 + 数据挖掘　；参考：《北京邮电大学》2014年博士论文

【摘要】：随着因特网的快速普及,网络已经渗透到了人们日常工作和生活的各个方面。然而,随之而来的各种安全威胁,对社会稳定和经济发展带来了不同程度的损害。作为主要安全技术之一,入侵检测技术能够在网络攻击造成广泛的破坏前检测到攻击行为,从而为防御策略的制定提供重要依据。而网络规模的不断扩大,各种新的安全漏洞和网络攻击手段层出不穷,对入侵检测系统的检测性能提出了更高的要求。数据挖掘是一种智能数据分析技术,能够从大量数据中发现有用的知识。本文综述了国内外在基于数据挖掘的入侵检测研究领域的最新进展,以基于数据挖掘的网络入侵检测关键技术为研究重点,对入侵检测中的特征降维及样本约简、基于离群点挖掘的异常检测方法、混合入侵检测模型等方面进行了研究。本文的主要研究工作可归纳如下： (1)研究了特征降维技术在入侵检测中的应用,设计了一种能够适用于入侵检测的特征提取方法。所谓特征降维,包含特征选择和特征提取两种方式,能够降低表征数据的特征向量的维数,从而使许多数据挖掘算法获得更好的效果。本文在分析入侵检测领域中的特征降维相关研究的基础上,提出了一种基于簇中心距离和的特征提取方法。该方法利用数据集中各数据样本与簇中心的一种特定关系——距离和,将表征数据样本的原始特征向量从高维空间转换到低维空间。文中的实验表明了该特征提取方法在入侵检测应用中的有效性。 (2)研究了样本约简技术在入侵检测中的应用,设计了一种能够适用于入侵检测的样本约简方法。所谓样本约简,是数据约简中的一种方式,用于缩减数据集中的样本数量。与针对整个原始数据集的数据挖掘相比,使用约简后得到的子集能够降低数据挖掘成本和加快挖掘速度,有时甚至能够取得更好的效果。为了能够从原始数据集选出高质量的样本子集,本文提出了一种基于类中心的分层样本约简方法。该方法通过一个能够衡量数据集中样本相对于其所属类别代表能力大小的指标,和一种基于类中心的数据集等分划分策略,可以从原始训练集中选出一个样本子集,进而使用该子集来建立入侵检测模型。文中的实验结果表明该样本约简方法对入侵检测应用是有效的。 (3)研究了离群点挖掘技术在入侵检测中的应用,设计了一种基于离群点挖掘的异常检测方法。通过离群点挖掘技术,能够发现数据集中偏离大部分数据的离群值。本文在分析离群点挖掘技术在入侵检测中相关研究的基础上,提出了一种基于簇中心位置变化的异常检测方法。该方法运用聚类算法从正常样本集中提取参考样本(簇中心)之后,通过目标样本(可为训练样本或待检测样本)增加前后簇中心位置的变化情况,为该目标样本赋予一个“离群程度分值”,并将离群程度分值大于一个异常阈值的待检测样本识别为异常样本。文中的实验结果表明该方法能够以较高的检测率完成网络异常检测任务。 (4)研究了混合入侵检测模型的组成结构,设计了一种包含三个检测模块的两层混合入侵检测模型。混合入侵检测模型结合了误用检测和异常检测两种检测方法,因而其能够结合两者的优点。本文在分析现有的几类混合入侵检测模型的组成结构及优缺点的基础上,提出了一种包含两个异常检测模块和一个误用检测模块的两层混合入侵检测模型。在该混合入侵检测模型中,两个阶段的检测模块相互合作,阶段2的两个检测模块分别能够识别阶段1的检测模块所产生的误报和漏报。文中的实验结果表明,该混合入侵检测模型能够以较低的误报率和较高的检测率完成入侵检测任务。
[Abstract]:With the rapid popularization of the Internet, the network has penetrated into all aspects of people's daily work and life. However, the various security threats that followed have caused different degrees of damage to social stability and economic development. As one of the main security technologies, intrusion detection techniques can cause widespread damage before network attacks. The attack behavior is measured, which provides an important basis for the formulation of defense strategy. While the network scale is expanding, various new security vulnerabilities and network attacks emerge in endlessly, and higher requirements for the detection performance of the intrusion detection system are put forward.
Data mining is a kind of intelligent data analysis technology, which can find useful knowledge from a large number of data. This paper summarizes the latest progress in the research field of Intrusion Detection Based on data mining at home and abroad. The key technology of network intrusion detection based on data mining is the key point, and the feature reduction and sample reduction in intrusion detection are made. Anomaly detection methods based on outlier mining and mixed intrusion detection models are studied. The main research work in this paper can be summarized as follows:
(1) the application of feature reduction technology in intrusion detection is studied. A feature extraction method which can be applied to intrusion detection is designed. The so-called feature reduction, including two ways of feature selection and feature extraction, can reduce the dimension of characteristic vectors of the representation data, thus making a lot of data mining algorithms get better results. Based on the analysis of feature dimensionality correlation in intrusion detection, a feature extraction method based on cluster center distance is proposed, which uses a specific relationship between data samples and cluster centers, distance and, to transform the original eigenvectors representing data samples from high dimensional space to low dimension space. The experiments in this paper show the effectiveness of the feature extraction method in intrusion detection applications.
(2) the application of sample reduction in intrusion detection is studied. A sample reduction method which can be applied to intrusion detection is designed. The so-called sample reduction is a way of data reduction and is used to reduce the number of samples in the data set. Compared with the data mining for the entire original dataset, the subsets obtained after reduction are used. To reduce the cost of data mining and speed up the mining speed, sometimes even better results can be achieved. In order to be able to select a high quality sample subset from the original dataset, a hierarchical sample reduction method based on the class center is proposed. This method can be used to measure the data concentration sample relative to its category. The index of capacity size, and a classification strategy based on a class center based data set, can select a subset of samples from the original training set, and then use the subset to establish an intrusion detection model. The experimental results in this paper show that the sample reduction method is effective for the application of intrusion detection.
(3) the application of outlier mining in intrusion detection is studied, and an anomaly detection method based on outlier mining is designed. Through the outlier mining technology, the outliers can be found to deviate from most of the data. Based on the analysis of the related research of outlier mining technology in intrusion detection, this paper proposes a kind of outlier mining technology. An anomaly detection method based on the change of cluster center position. The method uses clustering algorithm to extract reference samples (cluster centers) from the normal sample set, and increases the position of the cluster center before and after the target sample (for the training sample or the sample to be detected), and gives a "outlier score" for the target sample, and will be outbound. The experimental results in this paper show that the method can complete the network anomaly detection task with a higher detection rate.
(4) the composition structure of the hybrid intrusion detection model is studied, and a hybrid intrusion detection model containing three detection modules is designed. The hybrid intrusion detection model combines the misuse detection and abnormal detection of two detection methods, so it can combine the advantages of the two. This paper analyzes several kinds of existing hybrid intrusion detection models in the present paper. On the basis of the structure and the advantages and disadvantages, a two layer hybrid intrusion detection model including two anomaly detection modules and a misuse detection module is proposed. In the hybrid intrusion detection model, the detection modules of the two stages are cooperating with each other, and the two detection modules of phase 2 can identify the detection module of the phase 1. The experimental results show that the hybrid intrusion detection model can achieve the task of intrusion detection with low false positive rate and high detection rate.

【学位授予单位】：北京邮电大学
【学位级别】：博士
【学位授予年份】：2014
【分类号】：TP393.08;TP311.13

【参考文献】