基于流量矩阵的网络入侵检测研究

发布时间：2018-05-17 05:09

本文选题：流量矩阵 + 信息熵　；参考：《兰州交通大学》2014年硕士论文

【摘要】：入侵检测技术是继防火墙和数据加密等传统防护措施之后的一种具有主动性的防护技术，如何有效的检测出网络中存在的干扰网络性能的异常事件并正确地判别出网络异常的类型，以保证网络的正常运转，成为网络安全领域重要的研究课题之一。网络异常具有突发性、不可预知性和复杂性等特点，异常事件的发生通常会引起网络流量特征属性的改变，相应地，任何网络流量特征属性的改变预示着若干个异常事件的发生。网络流作为互联网运作和管理的一种重要形式，包含有网络通信中源/目的IP地址、源/目的端口和服务协议等特征属性的信息。流量矩阵作为网络流的一种重要组织方式，通常具有近似周期的正常成分、异常成分和噪声成分三种，对网络流量各个成分进行有效的分析处理成为入侵检测系统对网络异常进行检测和分类研究的关键。本文将网络中源-目的节点对之间的网络流量构建成矩阵形式作为入侵检测系统重要输入。建立一种良好的网络入侵检测模型有助于更好的实现对网络流量异常进行分析处理，提高入侵检测系统的检测率，降低系统的误报率。在研究传统入侵检测方法和原理的基础上，本文设计出一种基于网络流量矩阵的入侵检测模型，将网络流量矩阵作为异常分析对象，包含流量数据收集、粗糙流量数据预处理、流量异常检测、流量异常分类等多个功能模块。为了实现对网络异常更为准确的预警与分类功能，本文提出将基于PGM-NMF的异常检测算法和基于聚类分析的异常分类算法分别用在异常检测模块和异常分类功能模块中。在上述模型设计的基础上，本文给出了基于流量矩阵入侵检测算法具体的设计过程，通过信息熵算法对原始的网络流量数据进行预处理，，构建基于信息熵的流量矩阵，并通过提出一种基于PGM-NMF的网络流量异常检测算法，实现对网络流量正常子空间的构建，在重构误差的基础上，采用Q统计来判断流量异常状况。为了进一步确定网络异常的类型，提出了一种基于聚类分析的网络异常分类算法，将网络异常聚类分析结果与异常特征模式库进行匹配，达到准确判断出网络异常类型的目的。最后，论文通过仿真实验对网络异常检测和分类性能进行验证，相比于传统入侵检测方案，本文所设计的基于流量矩阵的网络入侵检测模型方案具有一定的优越性。
[Abstract]:Intrusion detection technology is a kind of proactive protection technology after traditional protective measures such as firewall and data encryption. How to effectively detect the abnormal events that interfere with the network performance and correctly identify the types of network anomalies to ensure the normal operation of the network has become one of the important research topics in the field of network security. Network anomalies have the characteristics of sudden, unpredictable and complexity. The occurrence of abnormal events usually leads to the change of the characteristic attributes of network traffic. The change of characteristic attribute of any network traffic indicates the occurrence of several abnormal events. As an important form of Internet operation and management, network flow contains information of source / destination IP address, source / destination port and service protocol in network communication. As an important organization of network flow, flow matrix usually has three kinds of components: normal component, abnormal component and noise component, which are approximately periodic. Effective analysis and processing of each component of network traffic becomes the key of intrusion detection system (IDS) to detect and classify network anomalies. In this paper, the network traffic between the source and destination node pairs in the network is constructed into a matrix form as the important input of the intrusion detection system. Establishing a good network intrusion detection model is helpful to analyze and deal with the network traffic anomalies, improve the detection rate of intrusion detection system, and reduce the false alarm rate of the system. Based on the study of traditional intrusion detection methods and principles, this paper designs an intrusion detection model based on network traffic matrix, which takes network traffic matrix as anomaly analysis object, including traffic data collection, rough traffic data preprocessing. Flow anomaly detection, traffic anomaly classification and other functional modules. In order to achieve more accurate early warning and classification of network anomalies, this paper proposes to use anomaly detection algorithm based on PGM-NMF and anomaly classification algorithm based on clustering analysis in anomaly detection module and anomaly classification function module respectively. On the basis of the above model design, this paper gives the specific design process of intrusion detection algorithm based on traffic matrix. The information entropy algorithm is used to preprocess the original network traffic data, and the traffic matrix based on information entropy is constructed. A network traffic anomaly detection algorithm based on PGM-NMF is proposed to construct the normal subspace of network traffic. Based on the reconstruction error, Q statistics is used to judge the traffic anomaly. In order to further determine the types of network anomalies, a network anomaly classification algorithm based on clustering analysis is proposed. The results of network anomaly clustering analysis are matched with the abnormal feature pattern library, and the purpose of accurately judging the network anomaly types is achieved. Finally, the paper verifies the performance of network anomaly detection and classification through simulation experiments. Compared with the traditional intrusion detection scheme, the network intrusion detection model based on traffic matrix has some advantages.
【学位授予单位】：兰州交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【相似文献】