基于分布式架构的网络入侵检测系统研究与实现

发布时间：2018-12-05 12:57

【摘要】：伴随着互联网技术的不断发展及其在各领域的广泛使用,网络安全问题显得尤为突出和重要。传统的网络防护手段主要采用防火墙和访问控制等被动防御方式,已经难以满足日益复杂的网络入侵行为。入侵检测作为一种主动式防御的网络安全技术,能够迅速识别入侵行为,并做出警告响应,适用于不同的网络环境。但是未知的入侵手段在人们认识之前难以发觉,造成攻击行为漏报,给网络的安全带来了隐患。本文将结合分布式架构和数据挖掘技术来增强入侵检测的准确性、有效性、处理能力和预测能力。首先介绍了目前常用的入侵检测模型、技术分类和体系结构,对它们的优缺点做了分析和比较,同时阐述了数据挖掘中的数据预处理、分类分析和聚类分析技术的原理和工作流程,及其在入侵检测中的应用。鉴于现有的入侵检测系统存在的问题和不足,本文设计了基于分布式架构的网络入侵检测系统,并给出了各个功能模块的详细设计和实现。本系统由一个主控节点服务器和若干检测代理节点组成,代理检测节点根据本地的检测规则负责各自网域内数据流的检测任务,在检测到未知行为时交由主控节点服务器对其预测,并定义了节点间交换消息的格式。针对分布式的系统架构和孤立点的挖掘思想,设计了一种分布式环境下的全监督隶属度分类算法(DFMCA),使得IDS具有快速对未知行为的预测能力,而不影响检测模块的正常工作,并期望达到比已有分类算法更高的准确率。最后,通过对系统各模块的测试实验,证实了本系统具有很强的处理能力、预测能力、灵活性和可扩展性,有效的降低了漏报率和误报率,并给出了结果分析和本课题下一步工作的展望。
[Abstract]:With the continuous development of Internet technology and its wide use in various fields, network security issues are particularly prominent and important. The traditional methods of network protection are mainly passive defense such as firewall and access control, so it is difficult to meet the increasingly complex network intrusion behavior. As an active defense network security technology, intrusion detection can quickly identify intrusion behavior and make warning response, which is suitable for different network environments. However, unknown intrusion methods are difficult to detect before people know, resulting in underreporting of attacks, which brings hidden dangers to network security. This paper combines distributed architecture and data mining technology to enhance the accuracy, effectiveness, processing ability and prediction ability of intrusion detection. Firstly, the commonly used intrusion detection models, technology classification and architecture are introduced, and their advantages and disadvantages are analyzed and compared. At the same time, the data preprocessing in data mining is expounded. The principle and workflow of classification analysis and clustering analysis, and its application in intrusion detection. In view of the existing problems and shortcomings of the existing intrusion detection system, this paper designs a network intrusion detection system based on distributed architecture, and gives the detailed design and implementation of each functional module. The system consists of a main control node server and a number of detection agent nodes. The agent detection node is responsible for the detection of the data flow in their respective domain according to the local detection rules. When the unknown behavior is detected, it is predicted by the master node server, and the format of exchanging messages between the nodes is defined. Aiming at the distributed system architecture and the idea of outlier mining, a fully supervised membership classification algorithm (DFMCA),) in distributed environment is designed, which makes IDS have the ability to predict unknown behavior quickly. It does not affect the normal operation of the detection module and expects to achieve higher accuracy than the existing classification algorithm. Finally, through the test of each module of the system, it is proved that the system has strong processing ability, prediction ability, flexibility and expansibility, and effectively reduces the false alarm rate and false alarm rate. The analysis of the results and the prospect of the future work of this subject are also given.
【学位授予单位】：北京邮电大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】