基于神经网络的入侵检测相关技术研究

发布时间：2018-06-29 05:08

  本文选题：入侵检测 + 神经网络　； 参考：《山东大学》2016年博士论文

【摘要】：随着互联网规模的日渐增大,网络新兴服务逐步影响着人们的日常生活,同时,网络安全问题也倍受人们关注。面对攻击行为日益复杂化的发展趋势,入侵检测系统可以通过实时分析获取的计算机系统、网络和用户的事件信息,来评估计算机系统和网络的安全性。传统环境下的入侵检测技术一直都是各研究机构的研究热点,如何提高入侵检测系统的检测性能至关重要。同时,云计算作为新的计算模式,改变了传统计算机体系架构,但是其虚拟化、分布式和超大规模的特点给计算机系统、网络和用户带来了巨大的安全挑战。为了有效应对这些新的挑战,研究云环境下的入侵检测系统同样具有重要的现实意义。神经网络具有自学习、联想记忆和可高速并行计算的特点,使其在很多应用领域都取得了显著的效果。将神经网络技术应用于入侵检测领域,已经引起了国内外相关学者的普遍关注。本文利用神经网络理论,对传统环境和云环境下的入侵检测系统相关问题进行了研究。本文首先针对传统环境下的分布式入侵检测系统存在中央节点负载大,易造成单点失效等问题,研究可高速并行计算,易于硬件实现,检测精度高的完全分布式协同入侵检测系统(第二章)。然后为弥补传统环境下的入侵检测系统普遍存在缺乏主动防御能力的缺点,研究在目标主机或操作系统遭到破坏之前,可预测即将发生攻击行为的入侵预防系统(第三章)。随着云计算的发展,传统环境下的入侵检测系统在海量入侵数据检测率和检测速度方面都存在着局限性,已经不能满足云环境下入侵检测系统的需求,因此本文研究了可自主学习、动态拓展的基于网络的云入侵检测系统(第四章)。云计算的核心是虚拟化技术,针对虚拟机在迁移过程中容易因为系统存在的漏洞或后门缺陷遭受病毒或黑客攻击,造成虚拟机异常迁移等安全问题,本文最后研究了虚拟机迁移调度监控系统,保障虚拟计算环境的安全(第五章)。本文的主要创新工作如下：(1)通过对分布式入侵检测系统的研究提出了一种基于离散细胞神经网络(DTCNN)和状态控制细胞神经网络(SCCNN)的完全分布式协同入侵检测系统。其中,基于DTCNN的多层检测模型作为本地节点检测分类器,基于改进SCCNN的一维环形检测模型作为全局检测器。每个本地节点检测器负责独立地检测本地网络入侵行为,然后周期性地发送检测消息与其相邻节点交换本地检测信息,构成全局检测器。针对本地节点检测器的模板参数,提出了基于改进粒子群算法的参数选择算法,通过能量函数约束法构造新的适应度函数来避免粒子群算法陷入早熟收敛并寻找到参数最优解。针对全局检测器,提出了一种基于求解线性矩阵不等式的模板参数求解方法,使系统达到理想的稳定输出,实现检测应用。仿真实验结果表明本检测系统与其他分布式入侵检测系统相比具有更高的检测率。(2)通过对入侵预测系统的研究提出了基于神经网络改进时序分析方法的入侵预测模型。为降低入侵预测系统的误报率和漏报率,提高入侵预测模型预测精度,提出了基于灰色神经网络改进ARIMA的网络入侵预测模型,采用BP网络映射灰色预测模型的微分方程解,构造出新的灰色神经网络,对基于ARIMA的网络入侵预测模型预测残差进行修正。此外,为提高多尺度网络流量时序的预测精度,本文还提出基于小波分解和改进最小复杂度回声状态网络的网络入侵预测模型(IMCESN-WD),首先对原始网络流量时序进行小波分解预处理,然后对分解后的各个尺度子序列建立最小均方误差和误差变化率改进最小复杂度回声状态网络的预测模型,最后利用权值因子将子序列预测结果进行整合。仿真实验证实上述方法可通过对网络流量数据进行建模来衡量网络的安全状况,对入侵行为进行预警,预测精度较高。(3)通过对基于网络的云入侵预测系统的研究提出了一种基于改进生长自组织神经网络的云网络入侵检测系统。该系统利用映射规约主成分分析算法对海量入侵数据进行降维,并将降维后的数据利用改进的生长自组织神经网络算法进行动态更新检测,利用遗传算法对基于生长自组织神经网络检测模型拓展出的自组织神经网络子网中的连接权值进行优化,加速检测网络收敛。仿真实验表明本方法可以实现对海量入侵数据的实时检测和新型攻击的扩展检测,检测算法与其他算法相比有较高的有效性和可拓展性。(4)通过对虚拟机迁移监控系统的研究提出了基于改进细胞神经网络的虚拟机迁移调度方法。迁移调度过程可等价于旅行商问题,通过改进细胞神经网络的能量函数使输出的平衡点为实时网络期望的特征值,系统达到稳定状态。本文在迁移调度局部规则和全局规则的基础上确定了参数关系,该网络模型参数关系可以转化为求解约束优化问题。然后,基于冒泡排序粒子群算法优化模板参数,避免求解参数过程陷入局部最优。仿真实验表明本文的方法可以制定出有效的虚拟机迁移调度策略,减少了迁移持续时间和迁移数据量。
[Abstract]:With the increasing scale of the Internet, network emerging services have gradually affected people's daily life. At the same time, the network security problem has attracted much attention. In the face of the increasingly complicated development trend of attack behavior, the intrusion detection system can evaluate and estimate the computer system, network and user's event information obtained by real-time analysis. The security of the computer system and network. The intrusion detection technology under the traditional environment has always been the research hotspot of the research institutions. How to improve the detection performance of the intrusion detection system is very important. At the same time, as a new computing model, cloud computing has changed the traditional computer architecture, but its virtualization, distribution and super scale are special. Computer systems, networks and users have brought great security challenges. In order to effectively cope with these new challenges, it is also of great practical significance to study intrusion detection systems in the cloud environment. Neural networks have the characteristics of self learning, associative memory and high speed parallel computing, making it remarkable in many applications. The application of neural network technology in the field of intrusion detection has caused widespread concern at home and abroad. This paper uses neural network theory to study the related problems of intrusion detection system under the traditional environment and cloud environment. This paper first aims at the existence of the central node in the traditional distributed intrusion detection system. When the point load is large and it is easy to cause a single point failure, we can study the complete distributed cooperative intrusion detection system (second chapter) which can be implemented in high speed parallel computing, easy to implement hardware and high detection precision, and then to make up for the shortcomings of the traditional intrusion detection system, which is generally lack of the active defense capability. Before the destruction, the intrusion prevention system (third chapter) can be predicted. With the development of the cloud computing, the intrusion detection system under the traditional environment has limitations in the detection rate and detection speed of massive intrusion data, and can not meet the requirements of the intrusion detection system under the cloud environment. Main learning, dynamic expansion of network based cloud intrusion detection system (fourth chapter). The core of the cloud computing is the virtualization technology. In view of the vulnerability of the system to the virus or hacker attack, the virtual machine is vulnerable to the virus or hacker attacks in the process of migration. Finally, the virtual machine migration is caused by the virtual machine migration. The scheduling monitoring system ensures the security of the virtual computing environment (fifth chapters). The main innovations of this paper are as follows: (1) a fully distributed cooperative intrusion detection system based on the discrete cellular neural network (DTCNN) and the state controlled cell neural network (SCCNN) is proposed by the research of the distributed intrusion detection system. Among them, the system is based on DTC The multi-layer detection model of NN is used as the local node detection classifier, and the one dimension ring detection model based on improved SCCNN is used as the global detector. Each local node detector is responsible for detecting local network intrusion independently, and then periodically sending the detection messages to exchange local detection information with their adjacent nodes to form a global detector. In view of the template parameters of local node detector, a parameter selection algorithm based on Improved Particle Swarm Optimization (PSO) is proposed. A new fitness function is constructed by energy function constraint method to avoid precocious convergence and find the optimal solution of the parameter. A linear matrix inequality is proposed for the global detector. The template parameter solution method makes the system achieve the ideal stable output and realizes the detection application. The simulation experiment results show that the detection system has a higher detection rate compared with the other distributed intrusion detection systems. (2) the intrusion prediction model based on the neural network improved time series analysis method is put forward by the Research of the intrusion prediction system. In order to reduce the false alarm rate and false alarm rate of the intrusion prediction system and improve the prediction accuracy of the intrusion prediction model, a network intrusion prediction model based on the grey neural network improved ARIMA is proposed. A new grey neural network is constructed with the BP network mapping the differential equation solution of the grey prediction model, and the prediction model of network intrusion based on ARIMA is predicted. In addition, in order to improve the prediction accuracy of multiscale network traffic sequence, this paper also proposes a network intrusion prediction model (IMCESN-WD) based on wavelet decomposition and improved minimum complexity echo state network. Firstly, the original network traffic sequence is preprocessed by wavelet decomposition, and then the decomposed sub scale subsequences are built. The minimum mean square error and the error change rate are established to improve the prediction model of the least complex echo state network. Finally, the subsequence prediction results are integrated with the weight factor. The simulation experiment proves that the above method can measure the network security by modeling the network traffic data, early warning and prediction accuracy for the intrusion behavior. (3) a cloud network intrusion detection system based on improved growth self-organizing neural network is proposed through the study of network based cloud intrusion prediction system. The system uses mapped protocol principal component analysis algorithm to reduce the dimension of mass intrusion data, and uses the improved growth self-organizing neural network to reduce the dimensionality after reducing the dimension. The algorithm performs dynamic update detection and optimizes the connection weights in the self-organizing neural network subnet based on the growth self-organizing neural network detection model by genetic algorithm, and accelerates the convergence of the detection network. The simulation experiment shows that this method can realize the real-time detection of massive intrusion data and the extended detection of new attacks. The detection algorithm has higher effectiveness and expansibility compared with other algorithms. (4) a migration scheduling method based on improved cellular neural network is proposed through the study of the virtual machine migration monitoring system. The migration scheduling process can be equivalent to the traveling salesman problem, and the output balance is made by improving the energy function of the fine cell neural network. The parameter relationship is determined on the basis of local rules and global rules of migration and scheduling, and the parameter relation of the network model can be transformed into a constrained optimization problem. Then, the bubble sorting algorithm is used to optimize the template parameters and avoid the solution of the parameter process. Simulation results show that the proposed method can formulate effective migration scheduling strategies for virtual machines, reducing migration duration and migrating data volume.
【学位授予单位】：山东大学
【学位级别】：博士
【学位授予年份】：2016
【分类号】：TP393.08;TP183
，

本文编号：2080982