基于时序逻辑的网络攻击建模研究

发布时间：2018-05-27 06:42

本文选题：模型检测 + 入侵检测　；参考：《郑州大学》2014年硕士论文

【摘要】：随着网络攻击种类越来越多样化、攻击手段越来越复杂，入侵检测技术日益受到重视。入侵检测是一种重要的网络安全技术，根据检测原理不同，该技术可被划分为误用检测和异常检测。由于异常检测的误报率较高，因此国际上已部署的入侵检测系统大多采用的是误用检测的方法。然而，面对网络中大量存在的日益复杂变化的攻击模式，基于模式匹配的入侵检测技术的检测能力严重不足。为此，基于模型检测的入侵检测技术被法国学者提出。与基于模式匹配的入侵检测（Intrusion Detection）相比，基于模型检测的入侵检测方法可有效提升对复杂变化攻击的检测能力。然而，对当前的基于模型检测的入侵检测方法而言，仍存在若干问题有待解决。首先，目前的方法均为针对特定的某一种或某几种来建模，仍然缺乏针对网络攻击的一般过程建模的模型。其次，缺乏一种平台可以为此类方法的性能比较提供依据。本文正是基于这两个问题开展研究，，所完成的主要工作如下： 1.在定义网络攻击的通用过程和网络攻击模型公式的基础上，本文提出了基于区间时序逻辑的网络攻击的通用模型。该通用模型可涵盖网络攻击的一般过程。在新模型的基础之上实施入侵检测有助于把基于模型检测的入侵检测技术推广到多类型攻击检测。 2.在研究了KDDCUP99的四大类攻击的攻击原理的基础上，针对KDDCUP99的训练集中13种攻击类型，将其具体攻击细节转化动作序列，并且将动作序列分解为日志文件中的原子动作行为，给出了每种攻击的时序逻辑公式，构建了13种攻击类型的攻击模型公式，为同类入侵检测方法的性能比较奠定了基础，并且为实现攻击类型的能力检测提供一个技术框架。
[Abstract]:With the variety of network attacks and the complexity of attack methods, intrusion detection technology has been paid more and more attention. Intrusion detection is an important network security technology. According to the principle of detection, it can be divided into misuse detection and anomaly detection. Because of the high false alarm rate of anomaly detection, most of the intrusion detection systems deployed in the world adopt the method of misuse detection. However, in the face of a large number of increasingly complex attack patterns, the detection ability of intrusion detection technology based on pattern matching is seriously inadequate. Therefore, the intrusion detection technology based on model detection is proposed by French scholars. Compared with intrusion detection based on pattern matching, intrusion detection based on model detection can effectively improve the ability to detect complex change attacks. However, for the current intrusion detection methods based on model detection, there are still some problems to be solved. First of all, the current methods are based on one or several specific models, and still lack a general process modeling model for network attacks. Secondly, the lack of a platform can provide a basis for the performance comparison of such methods. This paper is based on these two issues to carry out research, the main work accomplished as follows: 1. On the basis of defining the general process of network attack and the formula of network attack model, this paper presents a general model of network attack based on interval temporal logic. The general model can cover the general process of network attack. The implementation of intrusion detection based on the new model is helpful to extend the model-based intrusion detection technology to multi-type attack detection. 2. On the basis of studying the attack principle of KDDCUP99's four kinds of attacks, this paper focuses on 13 kinds of attack types of KDDCUP99, transforms the specific attack details into action sequence, and decomposes the action sequence into atomic action behavior in log file. The temporal logic formula of each attack is given, and the attack model formula of 13 attack types is constructed, which lays a foundation for the performance comparison of similar intrusion detection methods, and provides a technical framework for the ability detection of attack types.
【学位授予单位】：郑州大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】