基于聚类分析的动态自适应入侵检测模式研究
发布时间:2018-08-11 17:18
【摘要】:随着网络基础设施的不断完善和网络应用的越来越丰富,网络应用所具有的便捷高效使人们将更多的学习、生活和工作建立在网络之上,比如企业管理、电子商务等。大量的数据需要得到安全的存储和传输,保证其机密性、完整性和可用性。人们对网络应用的依赖性越高,网络应用系统一旦受到破坏所带来的损失也就越大。现有的网络应用系统为开放式的系统,一方面满足了信息共享的需要,另一方面这种开放性为黑客发动攻击提供了可能性,黑客可以利用复杂的互联的网络和主机系统存在的各种安全漏洞进行攻击而给组织和个人带来一定程度的损失。现有的网络应用安全防护系统无法确保整个系统不存在任何漏洞,因此入侵检测系统在网络安全中起着非常重要的作用,是网络安全防护的必要补充。现有的入侵检测相关的研究并不充分,本论文研究正是在这种背景下产生的,是非常有意义的。 本文首先介绍了入侵检测的概念和发展,介绍了现有的较有影响的国际入侵检测规范建议,入侵检测常用的技术手段,并对入侵检测从不同的角度进行了分类。然后介绍了可用于入侵检测中的数据挖掘算法的应用方式,并对其优缺点进行了分析,还对存在于网络中的入侵类型和特征进行了分析。最后详细说明了本文提出的检测模式,包括入侵检测模式的整体流程,入侵检测属性子集的选择,数据预处理方法和用于入侵检测的聚类算法,并对本文提出的检测模式进行了实验验证和分析。 现有的基于聚类分析入侵检测的研究大都通过改进聚类算法增强入侵检测的效果,并没有充分利用已知的入侵特征信息,事实上我们已经掌握了大量的己知入侵类型的特征信息。由于假定完全不知道被检测的数据特征,这些改进的聚类算法往往具有较高的空间和时间复杂度,这种特点无法适应越来越高的网络带宽和被检测数据量较大的入侵检测环境。本文在对入侵特征进行分析的基础上,提出了用于入侵检测的属性集选择方法。然后本文设计了一种新的入侵检测模式,充分利用已掌握的入侵信息计算得到的各种类型中心向量作为改进K-Means算法的初始聚类中心,有效解决了K-Means算法本身存在初始聚类中心难以确定可能导致局部最优的问题,并保证了算法的简洁性。由于已知类型的中心向量能很好的表征被检测数据的分布情况,因此本检测模式具有较好的收敛性,能满足现有网络越来越高的带宽需求。当检测到新的未知入侵类型时,入侵检测规则库应得到及时的更新,使这种检测模式具有动态检测的效果能适应不断变化的网络入侵环境。通过实验验证这种检测模式是有效的,能检测出某一种具体的入侵类型,并能有效发现可能出现的新的入侵类型。
[Abstract]:With the continuous improvement of the network infrastructure and the increasing richness of the network application, the convenience and efficiency of the network application make people learn, live and work more on the network, such as enterprise management, electronic commerce and so on. Large amounts of data need to be safely stored and transmitted to ensure confidentiality, integrity, and availability. The higher the dependence on network application, the greater the loss of network application system once it is damaged. The existing network application system is an open system. On the one hand, it meets the need of information sharing, on the other hand, this openness provides the possibility for hackers to launch attacks. Hackers can take advantage of various security vulnerabilities in complex interconnected networks and host systems to attack organizations and individuals to a certain extent. The existing network application security protection system can not ensure that there are no vulnerabilities in the whole system, so intrusion detection system plays a very important role in network security and is a necessary supplement to network security protection. The existing research on intrusion detection is not sufficient. The research in this paper is produced under this background, and it is very meaningful. This paper first introduces the concept and development of intrusion detection, introduces the existing international intrusion detection standard recommendations, intrusion detection commonly used technical means, and classifies intrusion detection from different angles. Then it introduces the application of data mining algorithm which can be used in intrusion detection, analyzes its advantages and disadvantages, and analyzes the types and features of intrusion existing in the network. Finally, the detection mode proposed in this paper is described in detail, including the whole process of intrusion detection mode, the selection of intrusion detection attribute subset, the method of data preprocessing and the clustering algorithm for intrusion detection. The test model proposed in this paper is verified and analyzed experimentally. The existing research of intrusion detection based on clustering analysis mostly enhances the effect of intrusion detection by improved clustering algorithm, and does not make full use of the known intrusion feature information. In fact, we already have a lot of characteristic information about the type of intrusion we know. These improved clustering algorithms often have high space and time complexity due to the assumption that they do not know the detected data features completely. This feature is unable to adapt to the increasingly high network bandwidth and intrusion detection environment with large amount of detected data. Based on the analysis of intrusion features, an attribute set selection method for intrusion detection is proposed in this paper. Then, a new intrusion detection model is designed, which makes full use of the various types of center vectors obtained from the computation of the existing intrusion information as the initial clustering center of the improved K-Means algorithm. It effectively solves the problem that the initial clustering center of K-Means algorithm itself is difficult to determine, which may lead to local optimization, and ensures the conciseness of the algorithm. Because the known types of center vectors can well represent the distribution of the detected data, the detection mode has a better convergence and can meet the increasing bandwidth requirements of the existing network. When the new unknown intrusion type is detected, the intrusion detection rule base should be updated in time, so that the dynamic detection effect of this detection mode can adapt to the changing network intrusion environment. It is proved by experiments that this detection model is effective, which can detect a specific intrusion type, and can effectively find new intrusion types that may appear.
【学位授予单位】:太原理工大学
【学位级别】:硕士
【学位授予年份】:2013
【分类号】:TP311.13;TP393.08
本文编号:2177691
[Abstract]:With the continuous improvement of the network infrastructure and the increasing richness of the network application, the convenience and efficiency of the network application make people learn, live and work more on the network, such as enterprise management, electronic commerce and so on. Large amounts of data need to be safely stored and transmitted to ensure confidentiality, integrity, and availability. The higher the dependence on network application, the greater the loss of network application system once it is damaged. The existing network application system is an open system. On the one hand, it meets the need of information sharing, on the other hand, this openness provides the possibility for hackers to launch attacks. Hackers can take advantage of various security vulnerabilities in complex interconnected networks and host systems to attack organizations and individuals to a certain extent. The existing network application security protection system can not ensure that there are no vulnerabilities in the whole system, so intrusion detection system plays a very important role in network security and is a necessary supplement to network security protection. The existing research on intrusion detection is not sufficient. The research in this paper is produced under this background, and it is very meaningful. This paper first introduces the concept and development of intrusion detection, introduces the existing international intrusion detection standard recommendations, intrusion detection commonly used technical means, and classifies intrusion detection from different angles. Then it introduces the application of data mining algorithm which can be used in intrusion detection, analyzes its advantages and disadvantages, and analyzes the types and features of intrusion existing in the network. Finally, the detection mode proposed in this paper is described in detail, including the whole process of intrusion detection mode, the selection of intrusion detection attribute subset, the method of data preprocessing and the clustering algorithm for intrusion detection. The test model proposed in this paper is verified and analyzed experimentally. The existing research of intrusion detection based on clustering analysis mostly enhances the effect of intrusion detection by improved clustering algorithm, and does not make full use of the known intrusion feature information. In fact, we already have a lot of characteristic information about the type of intrusion we know. These improved clustering algorithms often have high space and time complexity due to the assumption that they do not know the detected data features completely. This feature is unable to adapt to the increasingly high network bandwidth and intrusion detection environment with large amount of detected data. Based on the analysis of intrusion features, an attribute set selection method for intrusion detection is proposed in this paper. Then, a new intrusion detection model is designed, which makes full use of the various types of center vectors obtained from the computation of the existing intrusion information as the initial clustering center of the improved K-Means algorithm. It effectively solves the problem that the initial clustering center of K-Means algorithm itself is difficult to determine, which may lead to local optimization, and ensures the conciseness of the algorithm. Because the known types of center vectors can well represent the distribution of the detected data, the detection mode has a better convergence and can meet the increasing bandwidth requirements of the existing network. When the new unknown intrusion type is detected, the intrusion detection rule base should be updated in time, so that the dynamic detection effect of this detection mode can adapt to the changing network intrusion environment. It is proved by experiments that this detection model is effective, which can detect a specific intrusion type, and can effectively find new intrusion types that may appear.
【学位授予单位】:太原理工大学
【学位级别】:硕士
【学位授予年份】:2013
【分类号】:TP311.13;TP393.08
【参考文献】
相关期刊论文 前10条
1 罗敏,王丽娜,张焕国;基于无监督聚类的入侵检测方法[J];电子学报;2003年11期
2 杜强;孙敏;;基于改进聚类分析算法的入侵检测系统研究[J];计算机工程与应用;2011年11期
3 余祥宣,卢刚;CIDF的组件通信分析和算法描述[J];计算机工程;2002年05期
4 何波;程勇军;涂飞;杨武;;自适应入侵检测专家系统模型[J];计算机工程;2007年10期
5 张亚玲;康立锦;;基于数据挖掘的Snort系统改进模型[J];计算机应用;2009年02期
6 王令剑;滕少华;;聚类和时间序列分析在入侵检测中的应用[J];计算机应用;2010年03期
7 王翠娥;于晓明;;网格和密度聚类算法在入侵检测中的应用[J];计算机应用;2010年11期
8 谢慧;吴晓平;张志刚;王李民;;基于蚁群聚类的入侵检测技术研究[J];计算机应用研究;2010年08期
9 李涛;;基于数据挖掘技术的自适应入侵检测系统模型[J];计算机工程与设计;2010年06期
10 唐湘滟;朱幸辉;盛立新;陈晓珍;程杰仁;;基于IDMEF的信息安全事件标准化模型研究[J];网络安全技术与应用;2011年05期
,本文编号:2177691
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2177691.html
