基于定性映射的网络入侵检测系统的设计与实现
|
摘要
网络技术的飞速发展给人们的日常工作带来了巨大的便利,网络的地位越来越重要,同时,也给人们带来了安全问题。随着攻击工具的增加与使用的方便,入侵事件日益猖獗。为了增强网络的安全性,人们采用了各种网络安全技术。入侵检测技术是近年来继“防火墙”、“数据加密”等传统安全保护措施后的新一代安全保障技术,它被认为是防火墙之后的第二道安全闸门,对计算机和网络资源上的恶意使用行为进行识别和响应。入侵检测作为一种主动的信息安全保障措施,有效地弥补了传统安全防护技术的缺陷。它通过构建动态的安全循环,最大限度地提高系统的安全保障能力,减少安全威胁对系统造成的危害。目前,入侵检测已经成为网络安全的一个重要分支。
本文在深入分析网络安全知识与攻击检测方法的基础上,将属性论方法巧妙地应用到入侵检测领域,研究并开发了一个基于定性映射的网络入侵检测系统。由于入侵行为的识别可看作是基于合取的复杂性质判断,并且以区间阵列为定性基准的定性映射可表达为由多维属性确定的一个定性判断操作,所以我们可利用以区间阵列为定性基准的定性映射来完成网络数据包的识别工作。
根据属性论的思想,本文对捕获到的网络数据包进行特征提取,从中抽取出12维具有代表意义的属性构成特征向量。对于每一类攻击行为,本文引入二值权重{0、1}表示各分量对最终结果的影响程度。然后以加权后的特征向量为标准对入侵特征模式库进行搜索,如果找到,该行为就属于攻击行为。并且,在字符串匹配工作中,本文采用了BM改进算法。
经过大量测试表明,基于定性映射的网络入侵检测系统能较好地识别多类攻击行为,具有较低的误报率和漏报率,为我们进一步研究入侵检测打下了较好的基础。
With the rapidly development of network technology, many conveniences have been brought to people. The roles of network have become more and more important, meanwhile, the security problems of network come into being. With the increasing and convenience of attacking tools, the events of attacking increase rapidly. In order to enhance the security, people apply all kinds of network security technology. The intrusion detection technology is a new security technology recently, apart from traditional security protection technologies, such as firewall and data encryption. Intrusion detection is looked upon as the second safe door after the firewall, and it recognises and reacts to the vicious intrusion or suspicious activities on the computer and network resources. As a kind of active measure of information security assurances, intrusion detection acts as an effective complement to traditional security protection techniques. By building dynamic security circle, it improves the assurance ability of information sys
tems to the utmost extent, and reduces the danger to systems brought by security threats. At present, intrusion detection has become an important branch of network security.
After thorough analyzing network security knowledge and attack detection methods, this paper skillfully applies Attribute Theory to the intrusion detection field, and develops a network intrusion detection system based on Qualitative Mapping. Intrusion behavior recognition can be considered as intricate property judgement based on conjunction, and Qualitative Mapping regarding interval array as Qualitative Criterion can be explained as a qualitative judgement operation decided by multidimensional attributes. Therefore, we can use Qualitative Mapping regarding interval array as Qualitative Criterion to recognise network data packets.
According to Attribute Theory thesis, we extract the twelve dimensional attributes which can represent each packet from every network data packet captured by us, and get a eigenvector which is composed of the twelve dimensional attributes. In this paper, about every kind of attack behaviors, we use bivalent weight {0,1} to indicate how seriously each component influences
the final result. Then we search the intrusion feature pattern library for the eigenvector processed by these weights. If it is found, this vector belongs to attack behaviors. Furthermore, during the course of string matching, we adopt the improved BM algorithm.
After testing a great deal of examples, the network intrusion detection system based on Qualitative Mapping can better recognise various attack behaviors. Moreover, this system has a lower false positive rate and false negative rate, which have laid a better foundation for us to further study intrusion detection.
Liao Xiaoyan (Computer Software and Theory) Directed by Prof. Feng Jiali
本文在深入分析网络安全知识与攻击检测方法的基础上,将属性论方法巧妙地应用到入侵检测领域,研究并开发了一个基于定性映射的网络入侵检测系统。由于入侵行为的识别可看作是基于合取的复杂性质判断,并且以区间阵列为定性基准的定性映射可表达为由多维属性确定的一个定性判断操作,所以我们可利用以区间阵列为定性基准的定性映射来完成网络数据包的识别工作。
根据属性论的思想,本文对捕获到的网络数据包进行特征提取,从中抽取出12维具有代表意义的属性构成特征向量。对于每一类攻击行为,本文引入二值权重{0、1}表示各分量对最终结果的影响程度。然后以加权后的特征向量为标准对入侵特征模式库进行搜索,如果找到,该行为就属于攻击行为。并且,在字符串匹配工作中,本文采用了BM改进算法。
经过大量测试表明,基于定性映射的网络入侵检测系统能较好地识别多类攻击行为,具有较低的误报率和漏报率,为我们进一步研究入侵检测打下了较好的基础。
With the rapidly development of network technology, many conveniences have been brought to people. The roles of network have become more and more important, meanwhile, the security problems of network come into being. With the increasing and convenience of attacking tools, the events of attacking increase rapidly. In order to enhance the security, people apply all kinds of network security technology. The intrusion detection technology is a new security technology recently, apart from traditional security protection technologies, such as firewall and data encryption. Intrusion detection is looked upon as the second safe door after the firewall, and it recognises and reacts to the vicious intrusion or suspicious activities on the computer and network resources. As a kind of active measure of information security assurances, intrusion detection acts as an effective complement to traditional security protection techniques. By building dynamic security circle, it improves the assurance ability of information sys
tems to the utmost extent, and reduces the danger to systems brought by security threats. At present, intrusion detection has become an important branch of network security.
After thorough analyzing network security knowledge and attack detection methods, this paper skillfully applies Attribute Theory to the intrusion detection field, and develops a network intrusion detection system based on Qualitative Mapping. Intrusion behavior recognition can be considered as intricate property judgement based on conjunction, and Qualitative Mapping regarding interval array as Qualitative Criterion can be explained as a qualitative judgement operation decided by multidimensional attributes. Therefore, we can use Qualitative Mapping regarding interval array as Qualitative Criterion to recognise network data packets.
According to Attribute Theory thesis, we extract the twelve dimensional attributes which can represent each packet from every network data packet captured by us, and get a eigenvector which is composed of the twelve dimensional attributes. In this paper, about every kind of attack behaviors, we use bivalent weight {0,1} to indicate how seriously each component influences
the final result. Then we search the intrusion feature pattern library for the eigenvector processed by these weights. If it is found, this vector belongs to attack behaviors. Furthermore, during the course of string matching, we adopt the improved BM algorithm.
After testing a great deal of examples, the network intrusion detection system based on Qualitative Mapping can better recognise various attack behaviors. Moreover, this system has a lower false positive rate and false negative rate, which have laid a better foundation for us to further study intrusion detection.
Liao Xiaoyan (Computer Software and Theory) Directed by Prof. Feng Jiali
引文
[1] 蒋建春,马恒太,任党恩等.网络安全入侵检测:研究综述.软件学报,2003,11(11):1460~1467
[2] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社,2002.3
[3] 宋献涛,叶慧敏.入侵检测系统主题报道.计算机世界网络安全专栏,2001 (868):21~28
[4] 冯登国.国内外信息安全研究现状与发展趋势.Available at http://www.oldhand.org
[5] 李群.IDS关键:解决好误报和漏报.Available at http://www.nsfocus.com
[6] Anderson J P. Computer security threat monitoring and surveillance[P]. PA 19034, USA, 1980.4
[7] Dorothy E. Denning. An Intrusion Detection Model. IEEE Transactions On Software Engineering, 1987,13(2): 222~232
[8] Deborah A. Frincke, Ming-Yuh Huang. Recent Advances in intrusion detection system. Computer Networks. 34(2000): 541~545
[9] 戴云,范平志.入侵检测系统研究综述。计算机工程与应用,2002(4):17~19
[10] 何明耘,戴冠中.智能入侵检测技术发展概貌.计算机工程与应用,2001(15):21~24
[11] L. A. Zadeh. Toward a theory of fuzzy information granulation and its centrality in human reasoning and fuzzy logic, Fuzzy Set and System, 1997, 90(2): 111~127
[12] Feng Jiali. Degree Functions and Fuzzy Artificial Neurons Induced By Qualitative Mapping[C]. Proceedings of International Conference on Fuzzy Information Processing Theory and Application FIP03's. Tsinghua University Press & Springer, March:511~517
[13] Feng Jiali. Conversion Degree Functions Induced By Qualitative Mapping and Fuzzy Artificial Neurons[C], Proceedings of 2003 International Conference on Machine Learning and Cybernetics, IEEE, Inc. Nov:1135~1140
[14] 苏天辅.命题与判断[M].见:中国大百科全书.哲学卷工:中国大百科全书出版社,1987:625
[15] 姚伯茂.质量互变规律.质与量[M].见:中国大百科全书,哲学卷工工:中国大百
科全书出版社,1987.1180~1181
[16]郑伟谋,郝柏林.实用符号动力学[M].上海:上海科技教育出版社,1994.12
[17]杨百顺,李志刚主编.现代逻辑辞典[M].武汉:湖北教育出版社,1995:298
[18]冯嘉礼,董占球。基于属性整合的知觉模式生成与识别模型.计算机研究与发展,1997,34(7):487~491
[19]冯嘉礼.核事故应急决策支持系统与计算机实现研究:[博士论文]中国原子能科学研究院,2001.
[20]冯嘉礼.人工神经元的一种定性映射解释.计算机科学,2001,28(9)增刊:248~253
[21]Wang Lihu & Feng Jiali et al. Classifying and Learning Based on Qualitative Mapping[C], International Conference on Intelligent Information Technology, ICIIT-02, September:559~563
[22]冯嘉礼.定性映射诱导的模糊人工神经元和网络.南京大学学报,2003,39(2):172~181
[23]李文佩.基于定性映射和转化程度函数的汉字识别.上海海运学院计算机系硕士学位论文,2004年3月
[24]李德毅,孟海军,史雪梅.隶属云和隶属云发生器.计算机研究与发展,1995,32 (6) 15~20
[25]张铃,张钹.M-P神经元模型的几何意义及其应用.软件学报1998,9(5):334~337
[26]王守觉,王柏南.人工神经网络的多维空间几何分析及其理论.电子学报,2002,30 (1):1~4
[27]李洪兴.模糊逻辑系统与前向式神经网络等价.中国科学,2000,30(2):150~163
[28]Karent kent. Network Intrusion Detection Signatures. Available at http://www.snort.org
[29]南相浩,陈钟.网络安全技术概论.北京:国防工业出版社,2003.232~268
[30]杨义先,钮心忻.网络安全理论与技术.北京:人民邮电出版社,2003.182~225
[31]王雨晨.系统漏洞原理与常见供给方法.计算机工程与应用,2001(3):62~64
[32]王新生,王旭伟.防御拒绝服务攻击的实时动态安全模型.计算机工程,2002 (3):126~128
[33]NFR. Experiences Benchmarking Intrusion Detection System. Available at http://sinbad.dhs.org
[34]NSS Group. Intrusion Detection System Group Test. Available at http://www.nss.co.uk
[35]Kymie Tan. The Application of Neural Network to UNIX Computer Security.
Addison-Wesley, 1992
[36]Jake Ryan. Intrusion Detection with Networks. In Proceedings of the 13th National Computer Security Conference
[37]高峻,吕述望.入侵检测系统及其通信协议.计算机工程,2002.6:132~135
[38]Wenke Lee. Data Mining Approaches for Intrusion Detection. Technical Report: Computer Science Department, Columbia University
[39]王景新,戴葵,王志英.入侵检测系统的特征提取研究.计算机科学,2002(29):33~28
[40]Crosbie M, Spafford G. Applying genetic programming to intrusion detection[R]. Purdue University: Department of Computer Science, Coast Laboratory, 1997
[41]Kumar S, Spafford E.H. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, 1994:11~21
[42]Salvatore J. Stolfo. Data Mining Methods for Detection of New Malicious Executables. Columbia University: Department of Computer Science, 2002
[43]郝文化.防黑反毒技术指南.北京:机械工业出版社,2004.316~353
[44]潘志翔等.黑客攻击编程解析.北京:机械工业出版社,2003.81~88
[45]郭世泽,高永强等.揭开黑客的面纱.北京,人民邮电出版社,2003.11~14,75~98,141~206,242~253
[46]唐正军等.网络入侵检测系统的设计与实现.北京:电子工业出版社,2002
[47]韩东海,王超,李群.入侵检测系统实例剖析.北京:清华大学出版社,2002.5.20~40
[48]陆雪莹,蒋慧等译.TCP/正详解卷2:实现.北京:机械工业出版社,2000.7
[49]NSA Glossary of Terms Used in Security and Intrusion Detection. SANS Institute, 1999. Available at http://www.sentinelsys.com
[50]Snort User Manual. Available at http://www.snort.org
[51]IDS入侵检测系统专题.中国IT认证实验室网站。Available at http://www.chinitlab.com/www/special/ciwids.asp
[52]IDS dataset. LINCOLN LABORATORY MASSACHUSETTS INSTITUTE OF TECHNOLOGY. Available at http://www.11.mit.edu/IST/ideval
[53]Andrew S.TanenBaum.计算机网络,熊桂喜,王小虎.北京:清华大学出版社,1998
[54]基于网络的入侵检测.Available at
http://it.rising.com.cn/newSite/Channels/Safty/SaftDefend/InspectInfa11/200210/31-153701920.html
[55]项子文.防患于未然.Available at http://www.kaifaqu.net/gongan/WLFW/net/c8.html
[56]赵海波,李建华,杨宇航.网络入侵智能化实时检测系统.上海交通大学学报,1999.1:77~78
[57]Wenke Lee. A Data Ming Framework for Constructing Features and Models for Intrusion Detection Systems:[PhD dissertation]. Columbia University, 1999: 1~86
[58]Stephen Northcutt.网络入侵检测分析员手册.余青霞,王晓程,周刚.北京:人民邮电出版社,2000:198~200
[59]李鸿培,王新梅.基于神经网络的入侵检测系统模型.西安电子科技大学学报,1999.6:667~670
[60]James Cannady. Artificial Neural Networks for Misuse Detection. Nova Southeastern University, 1996
[61]Rich Feiertag et al. A Common Intrusion Specification Language. CIDF Working Group Document, 2000
[2] 戴英侠,连一峰,王航.系统安全与入侵检测.清华大学出版社,2002.3
[3] 宋献涛,叶慧敏.入侵检测系统主题报道.计算机世界网络安全专栏,2001 (868):21~28
[4] 冯登国.国内外信息安全研究现状与发展趋势.Available at http://www.oldhand.org
[5] 李群.IDS关键:解决好误报和漏报.Available at http://www.nsfocus.com
[6] Anderson J P. Computer security threat monitoring and surveillance[P]. PA 19034, USA, 1980.4
[7] Dorothy E. Denning. An Intrusion Detection Model. IEEE Transactions On Software Engineering, 1987,13(2): 222~232
[8] Deborah A. Frincke, Ming-Yuh Huang. Recent Advances in intrusion detection system. Computer Networks. 34(2000): 541~545
[9] 戴云,范平志.入侵检测系统研究综述。计算机工程与应用,2002(4):17~19
[10] 何明耘,戴冠中.智能入侵检测技术发展概貌.计算机工程与应用,2001(15):21~24
[11] L. A. Zadeh. Toward a theory of fuzzy information granulation and its centrality in human reasoning and fuzzy logic, Fuzzy Set and System, 1997, 90(2): 111~127
[12] Feng Jiali. Degree Functions and Fuzzy Artificial Neurons Induced By Qualitative Mapping[C]. Proceedings of International Conference on Fuzzy Information Processing Theory and Application FIP03's. Tsinghua University Press & Springer, March:511~517
[13] Feng Jiali. Conversion Degree Functions Induced By Qualitative Mapping and Fuzzy Artificial Neurons[C], Proceedings of 2003 International Conference on Machine Learning and Cybernetics, IEEE, Inc. Nov:1135~1140
[14] 苏天辅.命题与判断[M].见:中国大百科全书.哲学卷工:中国大百科全书出版社,1987:625
[15] 姚伯茂.质量互变规律.质与量[M].见:中国大百科全书,哲学卷工工:中国大百
科全书出版社,1987.1180~1181
[16]郑伟谋,郝柏林.实用符号动力学[M].上海:上海科技教育出版社,1994.12
[17]杨百顺,李志刚主编.现代逻辑辞典[M].武汉:湖北教育出版社,1995:298
[18]冯嘉礼,董占球。基于属性整合的知觉模式生成与识别模型.计算机研究与发展,1997,34(7):487~491
[19]冯嘉礼.核事故应急决策支持系统与计算机实现研究:[博士论文]中国原子能科学研究院,2001.
[20]冯嘉礼.人工神经元的一种定性映射解释.计算机科学,2001,28(9)增刊:248~253
[21]Wang Lihu & Feng Jiali et al. Classifying and Learning Based on Qualitative Mapping[C], International Conference on Intelligent Information Technology, ICIIT-02, September:559~563
[22]冯嘉礼.定性映射诱导的模糊人工神经元和网络.南京大学学报,2003,39(2):172~181
[23]李文佩.基于定性映射和转化程度函数的汉字识别.上海海运学院计算机系硕士学位论文,2004年3月
[24]李德毅,孟海军,史雪梅.隶属云和隶属云发生器.计算机研究与发展,1995,32 (6) 15~20
[25]张铃,张钹.M-P神经元模型的几何意义及其应用.软件学报1998,9(5):334~337
[26]王守觉,王柏南.人工神经网络的多维空间几何分析及其理论.电子学报,2002,30 (1):1~4
[27]李洪兴.模糊逻辑系统与前向式神经网络等价.中国科学,2000,30(2):150~163
[28]Karent kent. Network Intrusion Detection Signatures. Available at http://www.snort.org
[29]南相浩,陈钟.网络安全技术概论.北京:国防工业出版社,2003.232~268
[30]杨义先,钮心忻.网络安全理论与技术.北京:人民邮电出版社,2003.182~225
[31]王雨晨.系统漏洞原理与常见供给方法.计算机工程与应用,2001(3):62~64
[32]王新生,王旭伟.防御拒绝服务攻击的实时动态安全模型.计算机工程,2002 (3):126~128
[33]NFR. Experiences Benchmarking Intrusion Detection System. Available at http://sinbad.dhs.org
[34]NSS Group. Intrusion Detection System Group Test. Available at http://www.nss.co.uk
[35]Kymie Tan. The Application of Neural Network to UNIX Computer Security.
Addison-Wesley, 1992
[36]Jake Ryan. Intrusion Detection with Networks. In Proceedings of the 13th National Computer Security Conference
[37]高峻,吕述望.入侵检测系统及其通信协议.计算机工程,2002.6:132~135
[38]Wenke Lee. Data Mining Approaches for Intrusion Detection. Technical Report: Computer Science Department, Columbia University
[39]王景新,戴葵,王志英.入侵检测系统的特征提取研究.计算机科学,2002(29):33~28
[40]Crosbie M, Spafford G. Applying genetic programming to intrusion detection[R]. Purdue University: Department of Computer Science, Coast Laboratory, 1997
[41]Kumar S, Spafford E.H. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, 1994:11~21
[42]Salvatore J. Stolfo. Data Mining Methods for Detection of New Malicious Executables. Columbia University: Department of Computer Science, 2002
[43]郝文化.防黑反毒技术指南.北京:机械工业出版社,2004.316~353
[44]潘志翔等.黑客攻击编程解析.北京:机械工业出版社,2003.81~88
[45]郭世泽,高永强等.揭开黑客的面纱.北京,人民邮电出版社,2003.11~14,75~98,141~206,242~253
[46]唐正军等.网络入侵检测系统的设计与实现.北京:电子工业出版社,2002
[47]韩东海,王超,李群.入侵检测系统实例剖析.北京:清华大学出版社,2002.5.20~40
[48]陆雪莹,蒋慧等译.TCP/正详解卷2:实现.北京:机械工业出版社,2000.7
[49]NSA Glossary of Terms Used in Security and Intrusion Detection. SANS Institute, 1999. Available at http://www.sentinelsys.com
[50]Snort User Manual. Available at http://www.snort.org
[51]IDS入侵检测系统专题.中国IT认证实验室网站。Available at http://www.chinitlab.com/www/special/ciwids.asp
[52]IDS dataset. LINCOLN LABORATORY MASSACHUSETTS INSTITUTE OF TECHNOLOGY. Available at http://www.11.mit.edu/IST/ideval
[53]Andrew S.TanenBaum.计算机网络,熊桂喜,王小虎.北京:清华大学出版社,1998
[54]基于网络的入侵检测.Available at
http://it.rising.com.cn/newSite/Channels/Safty/SaftDefend/InspectInfa11/200210/31-153701920.html
[55]项子文.防患于未然.Available at http://www.kaifaqu.net/gongan/WLFW/net/c8.html
[56]赵海波,李建华,杨宇航.网络入侵智能化实时检测系统.上海交通大学学报,1999.1:77~78
[57]Wenke Lee. A Data Ming Framework for Constructing Features and Models for Intrusion Detection Systems:[PhD dissertation]. Columbia University, 1999: 1~86
[58]Stephen Northcutt.网络入侵检测分析员手册.余青霞,王晓程,周刚.北京:人民邮电出版社,2000:198~200
[59]李鸿培,王新梅.基于神经网络的入侵检测系统模型.西安电子科技大学学报,1999.6:667~670
[60]James Cannady. Artificial Neural Networks for Misuse Detection. Nova Southeastern University, 1996
[61]Rich Feiertag et al. A Common Intrusion Specification Language. CIDF Working Group Document, 2000