入侵检测系统中的报警融合研究

发布时间：2018-05-19 13:43

本文选题：入侵检测系统 + 支持向量数据描述　；参考：《北京交通大学》2014年硕士论文

【摘要】：随着计算机和网络的普及,网络传播的信息涉及各行各业,网络安全问题逐渐成为人们关注的一个焦点。防火墙隔离、网络访问控制等静态防御手段已经不能满足当前的需要,所以能够主动检测并且报告不安全行为的入侵检测系统应运而生。然而在实际的应用过程中,极高的漏报率、误报率和大量的重复报警是入侵检测系统无法避免的缺陷,报警融合技术就是为此而提出的。报警融合的目的是降低漏报率、误报率,减少重复报警,以利于管理员清晰的掌握网络的发展态势。但是目前大部分的报警融合方法只是关注如何减少重复报警,对于漏报率和误报率方面的研究比较少。本文针对这方面的研究不足提出了一种新的融合算法,能够在不降低检测率的情况下减少漏报率和误报率,并且通过KDD99数据集进行了验证。最后针对重复报警的问题,本文也提出了一种动态时间阈值的报警融合算法,根据具体报警的数量动态的调整时间阈值,让模型更加接近于真实情况。论文的主要研究内容如下： (1)分析当前入侵检测系统的结构特点及常用的入侵检测技术,详细研究了入侵检测技术的原理、分类、具体的检测方法和未来的发展方向。 (2)阐述并深入分析了四种当前主要的报警融合技术,总结了各个融合技术的优缺点,对当前融合技术存在的问题进行了剖析,提出了改进的思想。 (3)将单类支持向量机中的支持向量数据描述算法融入到报警融合,并结合模拟退火的思想,不仅能够剔除冗余特征,减少无关属性的干扰,而且通过多个分类器的融合决策,在一定程度上降低了报警信息的误报率和漏报率。 (4)由于时间的特殊性,本文提出了一种基于动态时间阈值的报警融合算法,根据具体报警的数量动态的调整时间阈值,大大减少了重复报警的数量。最后,对本文的工作进行了简单的概括与分析,同时,提出了未来的主要工作方向。
[Abstract]:With the popularity of computers and networks, the information transmitted by the network involves various industries, and network security has gradually become a focus of attention. Firewall isolation, network access control and other static defense methods can not meet the current needs, so intrusion detection system (IDS) can detect and report unsafe behavior actively. However, in the practical application process, the extremely high false alarm rate, false alarm rate and a large number of repeated alarms are unavoidable defects in the intrusion detection system. The alarm fusion technology is proposed for this purpose. The purpose of alarm fusion is to reduce the false alarm rate, false alarm rate and repeat alarm rate, so as to help the administrator to grasp the development situation of the network clearly. However, most of the current alarm fusion methods only focus on how to reduce repeated alarm, and there are few researches on false alarm rate and false alarm rate. In this paper, a new fusion algorithm is proposed, which can reduce the false alarm rate and false alarm rate without reducing the detection rate, and is verified by the KDD99 data set. Finally, aiming at the problem of repeated alarm, this paper also proposes an alarm fusion algorithm of dynamic time threshold, which adjusts the time threshold dynamically according to the number of specific alarms, so that the model is closer to the real situation. The main contents of this thesis are as follows: 1) analyzing the structure characteristic of the current intrusion detection system and the commonly used intrusion detection technology, the principle, classification, concrete detection method and the future development direction of the intrusion detection technology are studied in detail. This paper expounds and analyzes four kinds of current alarm fusion technology, summarizes the advantages and disadvantages of each fusion technology, analyzes the problems existing in the current fusion technology, and puts forward the idea of improvement. 3) integrating the support vector data description algorithm of single class support vector machine into alarm fusion, and combining with the idea of simulated annealing, it can not only eliminate redundant features and reduce the interference of independent attributes, but also make fusion decision by multiple classifiers. To a certain extent, the false alarm rate and false alarm rate are reduced. Due to the particularity of time, this paper presents an alarm fusion algorithm based on dynamic time threshold, which adjusts the time threshold dynamically according to the number of specific alarms, and greatly reduces the number of repeated alarms. Finally, the work of this paper is briefly summarized and analyzed, and the main work direction in the future is put forward.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】