基于多维关联规则的入侵检测方法研究

发布时间：2018-06-07 12:51

本文选题：数据挖掘 + 入侵检测　；参考：《燕山大学》2014年硕士论文

【摘要】：入侵检测系统是重要的网络安全主动防御工具，通过对计算机网络或计算机系统中若干关键点收集信息并对其进行分析，，从中发现网络或系统中是否有违反安全策略的行为和被攻击的迹象。由于入侵行为大多具有相关性，故对入侵行为的相关性分析是入侵检测的重要手段之一，并广泛应用在入侵检测系统中。在各种数据挖掘方法中，关联规则挖掘算法是数据挖掘中一个重要的研究内容，同时也是非常适合应用于入侵行为的相关性分析，可以从大量数据中发现正常和异常的行为模式，挖掘出蕴含在其中的关联规则，并利用这些规则对原始数据进行预处理和规则匹配，从而达到检测入侵行为的目的。所以，通过改进关联规则算法进并且将其应用于入侵检测的做法具有重要的现实意义。首先，结合Apriori算法和FP-Growth算法，提出一种基于多维关联频繁模式树的MAFP（MultidimensionalAssociation Frequent Pattern）关联规则挖掘算法，算法采用MAFP-tree结构，对维和项目集部分分别以MFP-tree(Multidimensional FrequentPattern Tree)和FP-tree作为存储结构，不仅可以进一步压缩空间，使得用于存储项目集的临时内存空间大大减少，而且减少扫描数据仓库的次数，可以大大提高求解效率，实现在维信息引导下的高效项集挖掘。其次，目前数据库越来越庞大，有的甚至达到TB级别，在这种情况下，单节点的串行处理方法就会出现挖掘效率极其低下的问题。针对这些问题提出基于Hadoop的并行多维关联规则算法。该算法的基本思想是将生成频繁项集和产生关联规则过程全部交给Master和Slave节点上的MapReduce共同完成，实现海量数据的分布式存储和任务的分布式处理，并且能做到节点负载均衡。最后，通过选取的数据样本集进行网络入侵检测，实验结果表明，本文所提出的算法在解决相关问题上是有效可行的，在算法运行时间上要低于同类型的算法，并且在挖掘精度上得到了一定程度的提高，实现了之前所预期的研究目标。
[Abstract]:Intrusion detection system (IDS) is an important active defense tool for network security. It collects and analyzes some key points in computer network or computer system. Find out if there are security policy violations and signs of attack on the network or system. Because the intrusion behavior has the correlation mostly, the correlation analysis of the intrusion behavior is one of the important means of intrusion detection, and is widely used in the intrusion detection system. Among all kinds of data mining methods, association rules mining algorithm is an important research content in data mining, and it is also very suitable for the correlation analysis of intrusion behavior. Normal and abnormal behavior patterns can be found from a large number of data, association rules contained in them can be mined, and these rules can be used to preprocess and match the original data, so as to detect intrusion behavior. Therefore, it is of great practical significance to improve the association rules algorithm and apply it to intrusion detection. First of all, combining Apriori algorithm and FP-Growth algorithm, a mining algorithm of MAFP(MultidimensionalAssociation Frequent pattern rules based on multi-dimension association frequent pattern tree is proposed. The algorithm adopts MAFP-tree structure and takes MFP-tree(Multidimensional FrequentPattern tree and FP-tree as storage structure for the part of dimension item set, respectively. Not only can the space be further compressed, the temporary memory space for storing itemsets can be greatly reduced, but also the times of scanning data warehouse can be reduced, the efficiency of solving can be greatly improved, and the efficient itemset mining under the guidance of dimensional information can be realized. Secondly, the database is becoming more and more large, some even reach TB level, in this case, the single-node serial processing method will have the problem of extremely low mining efficiency. To solve these problems, a parallel multidimensional association rule algorithm based on Hadoop is proposed. The basic idea of the algorithm is to give the process of generating frequent itemsets and generating association rules to the MapReduce on Master and Slave nodes together to realize the distributed storage of massive data and the distributed processing of tasks and to balance the load of nodes. Finally, the experimental results show that the algorithm proposed in this paper is effective and feasible in solving the related problems, and the running time of the algorithm is lower than that of the same type of algorithm. And the mining accuracy has been improved to a certain extent, and the expected research objectives have been achieved.
【学位授予单位】：燕山大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08;TP311.13

【参考文献】