基于序列的多步骤攻击逻辑挖掘算法研究与实现
发布时间:2018-08-13 17:20
【摘要】:入侵检测作为保护计算机网络免受威胁的关键技术和重要手段,是网络安全领域研究的热点问题。随着网络技术的发展,新的攻击类型层出不穷,特别是分布式攻击或多步骤攻击等复杂攻击类型,不仅具有很好的隐藏性,而且往往具有更大的危害。 在对应用系统的各种攻击行为中,相同意图的恶意行为往往具有不同的序列组合,导致现有入侵检测系统在捕捉具有因果关系的恶意行为时,很难还原出真实的攻击场景。为了准确找出多步骤攻击中复杂的逻辑关系,本文重点研究了以序列分析为基础的攻击检测方法。 首先研究了一种以IP等价类为基础的行为抽取机制,,并对IP等价类大小的阈值进行了分析,并给出了合理阈值选取原则,基于IP等价类可在不需任何参数与预先知识的条件下自动地抽取网络行为序列;然后基于报警关联图的方式对抽取的行为序列进行描述,并在此基础上基于滑动窗口的N元语法关联算法生成相异度矩阵,其中N元语法关联算法用于适应不同行为序列产生的变异、行为交错和长片段插入等现象;最后,通过流形学习的方式从大量的特征中提取具有意义的特征,并搭配各种分类算法找出可疑或恶意的行为序列。 本文在python环境下对上述工作进行了仿真,给出了总体仿真结构和模块设计方案,在真实数据集Acer07上的实验结果表明,所实现的算法比目前的现有的结果具有更高的检测精度。
[Abstract]:Intrusion detection, as a key technology and an important means to protect computer network from threats, is a hot topic in the field of network security. With the development of network technology, new attack types emerge in endlessly, especially the complex attack types such as distributed attack or multi-step attack, which not only have good concealment, but also have more harm. In all kinds of attacks on application system, malicious acts with the same intention often have different sequences combination, which makes it difficult for the existing intrusion detection system to restore the real attack scene when capturing the malicious behavior with causality. In order to find out the complex logic relation in multi-step attack, the attack detection method based on sequence analysis is studied in this paper. Firstly, a behavior extraction mechanism based on IP equivalence class is studied, and the threshold value of IP equivalent class size is analyzed, and the reasonable threshold selection principle is given. Based on the IP equivalence class, the network behavior sequence can be automatically extracted without any parameters and prior knowledge, and then the extracted behavior sequence can be described based on the alarm correlation graph. On this basis, N-meta syntax association algorithm based on sliding window is used to generate dissimilarity matrix, in which N-meta-syntax association algorithm is used to adapt to the variation of different behavior sequences, behavior interleaving and long segment insertion. Finally, The meaningful features are extracted from a large number of features by manifold learning, and the sequences of suspicious or malicious behaviors are found with various classification algorithms. In this paper, the above work is simulated under the python environment, and the overall simulation structure and the module design scheme are given. The experimental results on the real data set Acer07 show that the proposed algorithm has higher detection accuracy than the existing results.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2181666
[Abstract]:Intrusion detection, as a key technology and an important means to protect computer network from threats, is a hot topic in the field of network security. With the development of network technology, new attack types emerge in endlessly, especially the complex attack types such as distributed attack or multi-step attack, which not only have good concealment, but also have more harm. In all kinds of attacks on application system, malicious acts with the same intention often have different sequences combination, which makes it difficult for the existing intrusion detection system to restore the real attack scene when capturing the malicious behavior with causality. In order to find out the complex logic relation in multi-step attack, the attack detection method based on sequence analysis is studied in this paper. Firstly, a behavior extraction mechanism based on IP equivalence class is studied, and the threshold value of IP equivalent class size is analyzed, and the reasonable threshold selection principle is given. Based on the IP equivalence class, the network behavior sequence can be automatically extracted without any parameters and prior knowledge, and then the extracted behavior sequence can be described based on the alarm correlation graph. On this basis, N-meta syntax association algorithm based on sliding window is used to generate dissimilarity matrix, in which N-meta-syntax association algorithm is used to adapt to the variation of different behavior sequences, behavior interleaving and long segment insertion. Finally, The meaningful features are extracted from a large number of features by manifold learning, and the sequences of suspicious or malicious behaviors are found with various classification algorithms. In this paper, the above work is simulated under the python environment, and the overall simulation structure and the module design scheme are given. The experimental results on the real data set Acer07 show that the proposed algorithm has higher detection accuracy than the existing results.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前3条
1 穆成坡,黄厚宽,田盛丰,林友芳,秦远辉;基于模糊综合评判的入侵检测报警信息处理[J];计算机研究与发展;2005年10期
2 郑凯梅;钱旭;;有监督S-kv-Isomap在入侵检测中的应用[J];计算机工程与应用;2010年03期
3 刘运;蔡志平;钟平;殷建平;程杰仁;;基于条件随机场的DDoS攻击检测方法[J];软件学报;2011年08期
本文编号:2181666
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2181666.html
