基于粗糙集与人工免疫的入侵检测模型研究
发布时间:2018-08-03 13:42
【摘要】:随着信息技术的不断发展,人类社会正在发生重大变革。互联网已成为全球人类联系的重要纽带,拉近了人与人之间的距离,成为人类生活中不可缺少的一部分。虽然网络新技术给人类生活带来了巨大的便利,但是也引发了许多安全隐患,提出了安全挑战,尤其是网络安全问题的不断凸显,已经严重影响了正常的生活、社会秩序,给个人、企业、国家、社会带来了很多危害。网络安全技术已成为当今社会需要解决的一个重要问题。 不同于防火墙,VPN等静态保护的方法,入侵检测是保证网络安全的重要手段,具有重要的研究价值和意义。主要表现包括:首先入侵检测具有动态防护特性,并且入侵检测技术融合了多种学科、多种技术,如:仿生计算、人工智能、数据挖掘、机器学习。因此入侵检测还有很多需要深入研究领域。其次随着云计算的迅猛发展,云计算具有新的特性,边界模糊导致了防护墙等静态防护方法不再适用。因此,入侵检测技术将成为保证云计算安全的重要手段。再次,入侵检测具有广泛的应用场景。例如,将入侵检测应用到互联网、军事网络、无线网络、云计算、物联网中,针对不同的环境下进行防护,入侵检测与分布计算、深度学习等方法相结合等。可见,对入侵检测相关内容的研究是具有理论和应用价值的。 目前,众多专家致力于入侵检测的模型、评估标准、自身的安全性、检测速度、检测率、误报率、漏报率、自适应性、分布性、方法论以及可行性等方面的研究,并取得了很多理论上的研究成果。本文主要研究了基于粗糙集与人工免疫原理的入侵检测模型,主要内容有: 1、归纳了当前主流的入侵检测技术,对比分析了各自的优缺点。将差别矩阵约简算法应用于入侵检测中,分析日志,约简冗余属性,获得最简决策规则,提高入侵检测的速度。由于粗糙集算法计算复杂度高,针对这一问题,设计了粗糙集并行算法分类器。在粗糙集并行算法分类器中,引入了C-Means聚类方法预处理决策表,进行预分类,划分的子类分块进行约简,获得决策规则。仿真结果表明,粗糙集并行算法分类器能够约简冗余属性,提高入侵检测的速度,采用C-Means聚类方法进行预处理能获得有效的决策规则,提高检测率。 2、针对入侵检测的分布性、自适应性问题,将生物免疫原理的自我非自我模型引入到入侵检测中,提出了“基因属性重要度”的概念。设计了一种新的动态疫苗接种的入侵检测(Dynamic Immune-based Intrusion Detection using Vaccination, DIIDV)模型,在DIIDV模型中,给出了一种新的基于基因属性重要度的疫苗接种策略,同时也提出了一种采用了粗糙集方法获得初始抗体的方法。DIIDV模型结合了误用检测和异常检测两种检测模式,异常检测和误用检测分别检测未知入侵和已知入侵。在DIIDV模型的基础上,给出了相应的DIIDV算法。仿真结果表明,所提出的DIIDV方法具有更好的检测性能。采用疫苗接种的策略能提高收敛速度,采用粗糙集获得初始抗体能够去除冗余属性,提高检测速度。集成两种检测模式可以提高检测率。 3、对于目前免疫入侵检测存在的问题,通过引入粗糙集的方法,结合误用检测和异常检测,综合自我非自我理论和危险理论,设计了一种粗糙集和人工免疫集成入侵检测(Integrated Intrusion Detection based on Rough Set and Artificial Immune, RSAI-IID)模型,在RSAI-IID模型中,首先提出了一种在入侵检测中疫苗注入的方法。采用粗糙集方法获取疫苗并进行疫苗注入,并保证了疫苗的优良性,优化检测性能。其次改进了RSAI-IID算法中重要参数的自调节机制。最后采用了多种模式集成的检测方法提高检测率:误用检测筛掉已知的入侵行为,提高检测的速度;异常检测针对未知攻击进行实时检测。自我非自我理论与危险模型相结合提高入侵检测的收敛速度和自适应性。最后在KDD99数据集上进行实验仿真,验证了RSAI-IID模型的可行性和有效性。
[Abstract]:With the continuous development of information technology, great changes have taken place in human society. The Internet has become an important link of human contact in the world. It has brought the distance between people and people, and has become an indispensable part of human life. Although the new network technology has brought great convenience to human life, it has also caused a lot of security. The security challenge, especially the network security problem, has seriously affected the normal life, the social order, has brought a lot of harm to the individual, the enterprise, the state and the society. The network security technology has become an important problem to be solved in today's society.
Unlike the methods of static protection such as firewalls and VPN, intrusion detection is an important means to ensure network security. It has important research value and significance. The main manifestations include: first intrusion detection has dynamic protection characteristics, and intrusion detection technology is integrated with a variety of disciplines, a variety of technologies, such as bionic computing, artificial intelligence, data digging. Secondly, with the rapid development of cloud computing, cloud computing has new characteristics, and the boundary blur leads to the static protection methods such as the protective wall no longer applicable. Therefore, intrusion detection technology will become an important means to ensure the security of cloud computing. For example, intrusion detection is applied to the Internet, military network, wireless network, cloud computing, and Internet of things, for the combination of protection in different environments, intrusion detection and distribution calculation, deep learning and so on. It is obvious that the research on intrusion detection content is of theoretical and practical value.
At present, many experts devote themselves to the research of intrusion detection models, evaluation criteria, their own security, detection speed, detection rate, false alarm rate, false alarm rate, adaptive, distribution, methodology and feasibility, and have obtained many theoretical research results. This paper mainly studies the principle of rough set and artificial immunity. Intrusion detection model, the main contents are as follows:
1, the current mainstream intrusion detection technologies are summed up, and their advantages and disadvantages are compared and analyzed. The differential matrix reduction algorithm is applied to intrusion detection, the log is analyzed, the redundancy attributes are reduced, the most simplified decision rules are obtained and the speed of intrusion detection is improved. The rough set algorithm is designed for the rough set algorithm because of the high complexity of the computation. In the classifier of the rough set parallel algorithm, the C-Means clustering method is introduced to preprocess the decision table. The classification is preclassified and the subclasses are divided and the decision rules are obtained. The simulation results show that the rough set parallel algorithm can reduce the redundant attributes, improve the speed of intrusion detection, and use the C-Means clustering method. Preprocessing can get effective decision rules and improve detection rate.
2, in view of the distribution and adaptive problem of intrusion detection, the self non self model of biological immune principle is introduced into intrusion detection, and the concept of "gene attribute importance" is proposed. A new Dynamic Immune-based Intrusion Detection using Vaccination, DIIDV model is designed, and a new dynamic vaccine vaccination (DIIDV) model is designed. In the DIIDV model, a new vaccination strategy based on the importance of gene attribute is given. At the same time, a method of obtaining initial antibody by using the rough set method is also proposed. The.DIIDV model combines two detection modes: misuse detection and anomaly detection. Abnormal detection and misuse detection are used to detect unknown intrusion and known intrusion respectively. In DI On the basis of the IDV model, the corresponding DIIDV algorithm is given. The simulation results show that the proposed DIIDV method has better detection performance. The strategy of vaccination can improve the convergence speed. The rough set can get the initial antibody to remove the redundant attributes and improve the detection speed. The integration of two detection modes can improve the detection rate.
3, for the existing problems of immune intrusion detection, a rough set and artificial immune integrated intrusion detection (Integrated Intrusion Detection based on Rough Set and Artificial Immune, RSAI-IID) are designed by introducing rough sets, combining misuse detection and anomaly detection, and combining self non self theory and danger theory. In the RSAI-IID model, a method of vaccine injection in intrusion detection is first proposed. A rough set method is used to obtain vaccines and vaccine injection, and the quality of the vaccine is guaranteed and the detection performance is optimized. Secondly, the self-regulation mechanism of the important parameters in the RSAI-IID algorithm is improved. Finally, a variety of mode integrated detector is adopted. The method improves the detection rate: misuse the detection to screen out the known intrusion behavior, improve the detection speed, abnormal detection for the unknown attack in real time detection. Self non self theory and risk model combined to improve the convergence speed and adaptability of intrusion detection. Finally, the experimental simulation on the KDD99 data set has been carried out to verify the RSAI-IID model. Feasibility and effectiveness.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08;TP18
[Abstract]:With the continuous development of information technology, great changes have taken place in human society. The Internet has become an important link of human contact in the world. It has brought the distance between people and people, and has become an indispensable part of human life. Although the new network technology has brought great convenience to human life, it has also caused a lot of security. The security challenge, especially the network security problem, has seriously affected the normal life, the social order, has brought a lot of harm to the individual, the enterprise, the state and the society. The network security technology has become an important problem to be solved in today's society.
Unlike the methods of static protection such as firewalls and VPN, intrusion detection is an important means to ensure network security. It has important research value and significance. The main manifestations include: first intrusion detection has dynamic protection characteristics, and intrusion detection technology is integrated with a variety of disciplines, a variety of technologies, such as bionic computing, artificial intelligence, data digging. Secondly, with the rapid development of cloud computing, cloud computing has new characteristics, and the boundary blur leads to the static protection methods such as the protective wall no longer applicable. Therefore, intrusion detection technology will become an important means to ensure the security of cloud computing. For example, intrusion detection is applied to the Internet, military network, wireless network, cloud computing, and Internet of things, for the combination of protection in different environments, intrusion detection and distribution calculation, deep learning and so on. It is obvious that the research on intrusion detection content is of theoretical and practical value.
At present, many experts devote themselves to the research of intrusion detection models, evaluation criteria, their own security, detection speed, detection rate, false alarm rate, false alarm rate, adaptive, distribution, methodology and feasibility, and have obtained many theoretical research results. This paper mainly studies the principle of rough set and artificial immunity. Intrusion detection model, the main contents are as follows:
1, the current mainstream intrusion detection technologies are summed up, and their advantages and disadvantages are compared and analyzed. The differential matrix reduction algorithm is applied to intrusion detection, the log is analyzed, the redundancy attributes are reduced, the most simplified decision rules are obtained and the speed of intrusion detection is improved. The rough set algorithm is designed for the rough set algorithm because of the high complexity of the computation. In the classifier of the rough set parallel algorithm, the C-Means clustering method is introduced to preprocess the decision table. The classification is preclassified and the subclasses are divided and the decision rules are obtained. The simulation results show that the rough set parallel algorithm can reduce the redundant attributes, improve the speed of intrusion detection, and use the C-Means clustering method. Preprocessing can get effective decision rules and improve detection rate.
2, in view of the distribution and adaptive problem of intrusion detection, the self non self model of biological immune principle is introduced into intrusion detection, and the concept of "gene attribute importance" is proposed. A new Dynamic Immune-based Intrusion Detection using Vaccination, DIIDV model is designed, and a new dynamic vaccine vaccination (DIIDV) model is designed. In the DIIDV model, a new vaccination strategy based on the importance of gene attribute is given. At the same time, a method of obtaining initial antibody by using the rough set method is also proposed. The.DIIDV model combines two detection modes: misuse detection and anomaly detection. Abnormal detection and misuse detection are used to detect unknown intrusion and known intrusion respectively. In DI On the basis of the IDV model, the corresponding DIIDV algorithm is given. The simulation results show that the proposed DIIDV method has better detection performance. The strategy of vaccination can improve the convergence speed. The rough set can get the initial antibody to remove the redundant attributes and improve the detection speed. The integration of two detection modes can improve the detection rate.
3, for the existing problems of immune intrusion detection, a rough set and artificial immune integrated intrusion detection (Integrated Intrusion Detection based on Rough Set and Artificial Immune, RSAI-IID) are designed by introducing rough sets, combining misuse detection and anomaly detection, and combining self non self theory and danger theory. In the RSAI-IID model, a method of vaccine injection in intrusion detection is first proposed. A rough set method is used to obtain vaccines and vaccine injection, and the quality of the vaccine is guaranteed and the detection performance is optimized. Secondly, the self-regulation mechanism of the important parameters in the RSAI-IID algorithm is improved. Finally, a variety of mode integrated detector is adopted. The method improves the detection rate: misuse the detection to screen out the known intrusion behavior, improve the detection speed, abnormal detection for the unknown attack in real time detection. Self non self theory and risk model combined to improve the convergence speed and adaptability of intrusion detection. Finally, the experimental simulation on the KDD99 data set has been carried out to verify the RSAI-IID model. Feasibility and effectiveness.
【学位授予单位】:北京邮电大学
【学位级别】:博士
【学位授予年份】:2014
【分类号】:TP393.08;TP18
【参考文献】
相关期刊论文 前10条
1 罗守山,陈亚娟,宋传恒,王自亮,钮心忻,杨义先;基于用户击键数据的异常入侵检测模型[J];北京邮电大学学报;2003年04期
2 谢红;刘人杰;陈纯锴;;基于误用检测与异常行为检测的整合模型[J];重庆邮电大学学报(自然科学版);2012年01期
3 彭宏;;基于粗糙集理论的入侵检测方法研究[J];电子科技大学学报;2006年01期
4 曾剑平;郭东辉;;基于区间值2型模糊集的伪装入侵检测算法[J];电子学报;2008年04期
5 严宣辉;;应用疫苗接种策略的免疫入侵检测模型[J];电子学报;2009年04期
6 田俊峰;王惠然;傅s,
本文编号:2161919
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2161919.html
