基于多重行为的伪装入侵检测系统

发布时间：2018-05-02 16:37

本文选题：伪装入侵检测 + 用户行为建模　；参考：《上海交通大学》2014年硕士论文

【摘要】：伪装入侵是指攻击者伪装成合法用户进入信息系统并访问系统关键数据或执行非法操作的行为。伪装入侵通常可分为物理伪装入侵与远程伪装入侵。近年来，伪装入侵检测作为入侵检测的一个重要分支吸引了学术界与业界的广泛关注，若干研究者也已实现了一些颇具可行性的伪装入侵检测系统。尽管如此，，现有系统的设计与实现中仍然存在以下问题：学习特征过于单一、忽视用户网络行为和缺乏隐私保护。为了解决这些问题，本文创新地提出了一种基于多重用户行为的模型，并就这个模型设计与实现了两个适用于不同场景的伪装入侵检测系统。本文首先提出了一种综合的用户行为模型——这个模型结合了用户基于主机与基于网络的多种行为。在网络行为方面，本文创新提出了一个基于并针对网络流模型。实验结果验证了该模型具有很高的代表性。针对物理伪装入侵，本文提出了一个基于上述综合行为模型与AdaBoost-SVM算法的检测系统。针对远程伪装入侵，本文利用全同态加密与模糊哈希的实现了一个具有隐私保护功能的检测系统。此外，本章就以上两套系统分别进行了测试。测试结果表明，这两个系统分别适用于不同场景：系统一具有较高的准确率，适用于公司局域网场景；系统二具有隐私保护的特质，适合部署在互联网网站。两个系统的安全性和可行性都得到了验证。本文所述的基于多重行为的伪装入侵检测系统解决了一些现有的问题，实现了高可用性与准确性，并在真实用户数据的测试中获得了较好的结果，为大规模部署伪装入侵检测系统提供了强有力的技术支撑。
[Abstract]:Camouflage intrusion refers to an attacker's behavior of entering information system and accessing system critical data or performing illegal operation as a legitimate user. Camouflage intrusion can be divided into physical camouflage intrusion and remote camouflage intrusion. In recent years, as an important branch of intrusion detection, camouflage intrusion detection has attracted extensive attention from academia and industry. Some researchers have also implemented some feasible camouflage intrusion detection systems. However, there are still the following problems in the design and implementation of the existing system: the learning characteristics are too single, the user network behavior is ignored and privacy protection is lacking. In order to solve these problems, this paper proposes an innovative model based on multi-user behavior, and designs and implements two camouflage intrusion detection systems for different scenarios. In this paper, a comprehensive user behavior model is proposed, which combines host and network-based behaviors. In the aspect of network behavior, this paper proposes a network flow model based on and aimed at network flow. The experimental results show that the model is highly representative. For physical camouflage intrusion, this paper proposes a detection system based on the above comprehensive behavior model and AdaBoost-SVM algorithm. Aiming at remote camouflage intrusion, this paper implements a detection system with privacy protection by using full homomorphism encryption and fuzzy hash. In addition, the above two systems are tested in this chapter. The test results show that the two systems are suitable for different scenarios: system one has a higher accuracy rate and is suitable for corporate LAN scenario; system two has the property of privacy protection and is suitable for deployment on Internet sites. The security and feasibility of the two systems are verified. The camouflage intrusion detection system based on multiple behaviors in this paper solves some existing problems, realizes high availability and accuracy, and obtains good results in the testing of real user data. It provides powerful technical support for large-scale deployment of camouflage intrusion detection system.
【学位授予单位】：上海交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】