基于EFSA模型与动态规则集入侵检测研究

发布时间：2018-06-05 10:25

本文选题：EFSA模型 + 六元组　；参考：《江西师范大学》2015年硕士论文

【摘要】：随着科技的发展,网络安全问题日益突显,严重损害了网民的利益。入侵检测技术作为一种主动的防御和检测手段,为主机和计算机网络提供了实时动态的安全保障。随着网络数据规模的不断扩大以及黑客攻击手段的复杂多样,网络安全形势正面临着前所未有的危机和挑战。针对传统模式匹配技术和协议分析技术检测攻击存在的不足,提出一种基于状态协议分析技术的扩展有穷自动机(EFSA)入侵检测模型。该模型通过构建一个EFSA来描述攻击的状态转移和变化,EFSA入侵检测模型可用一个六元组表示,即M=(P,Q,Σ,W,q0,F)。通过建立该六元组,一方面将接受到的数据包映射为协议状态的转换从而建立有穷状态自动机,根据检测数据是否被自动机接受来判断攻击的存在。另一方面将待检测数据按协议分流,从而提升检测精度,减小规则匹配计算量,提高检测效率。在创建EFSA模型时给出了EFSA检测机制和算法,在模型应用于入侵检测过程中采用规则集分类匹配的思想,有助于提高入侵检测准确率。另外为了更好的描述自动机,提出利用状态转移树表示会话的运行过程,同时为每个会话节点创建会话链表用于存储会话信息,实现了会话状态与会话链表的双向关联。最后实验选取KDD CUP99作为测试数据集,通过实验证明了基于EFSA模型的入侵检测效率较之基于模式匹配和基于状态协议分析技术的入侵检测效率得到了提高,误报率有所下降。此外,为了减少规则匹配时间,提高入侵检测的实时性,利用三步动态调整算法对规则集做了实时调整,依据事件匹配触发调整规则优先级,从而实时的把那些经常被匹配的规则赋予更高的优先级,以此提高系统的匹配效率。实验证明了基于规则动态调整的入侵检测方法较之采用静态规则集的入侵检测在检测时间方面减少了近10%,提高了入侵检测效率和实时性。
[Abstract]:With the development of science and technology, the problem of network security is becoming more and more prominent, which seriously damages the interests of Internet users. As an active defense and detection method, intrusion detection technology provides real-time and dynamic security for host computer and computer network. With the expansion of network data scale and the complexity of hacker attack, network security is facing unprecedented crisis and challenge. Aiming at the shortcomings of traditional pattern matching and protocol analysis techniques in detecting attacks, an extended finite automaton (EFSA) intrusion detection model based on state protocol analysis is proposed. This model can be represented by a six-tuple set of EFSA to describe the state transition and changes of the attack. By establishing the six-tuple, on the one hand, the received data packet is mapped to the transition of the protocol state, and then the finite state automaton is established, and the existence of the attack is judged according to whether the detection data is accepted by the automaton. On the other hand, the data to be detected are separated according to the protocol to improve the accuracy of detection, reduce the calculation of rule matching, and improve the efficiency of detection. In order to improve the accuracy of intrusion detection, the mechanism and algorithm of EFSA detection are presented when the EFSA model is created. The idea of rule set classification matching is used in the application of the model in the process of intrusion detection. In addition, in order to describe the automata better, the state transition tree is used to represent the running process of the session. At the same time, a session chain list is created for each session node to store the session information, which realizes the bidirectional association between the session state and the session linked list. Finally, KDD CUP99 is selected as the test data set. It is proved that the efficiency of intrusion detection based on EFSA model is higher than that of intrusion detection based on pattern matching and state protocol analysis, and the false positive rate is decreased. In addition, in order to reduce the time of rule matching and improve the real-time performance of intrusion detection, a three-step dynamic adjustment algorithm is used to adjust the rule set in real time, and the rule priority is adjusted according to the event matching trigger. In order to improve the system matching efficiency, the rules that are often matched are given higher priority in real time. The experimental results show that the intrusion detection method based on dynamic adjustment of rules reduces the detection time by nearly 10 times and improves the efficiency and real time of intrusion detection.
【学位授予单位】：江西师范大学
【学位级别】：硕士
【学位授予年份】：2015
【分类号】：TP393.08

【参考文献】