基于数据挖掘的主机入侵行为检测  

Host Intrusion Activities Detection Based on Data Mining Method

在线阅读下载全文

作  者:昝鑫[1] 韩崇昭[1] 姚婷婷[1] 韩九强[1] 

机构地区:[1]西安交通大学电子与信息工程学院,西安710049

出  处:《西安交通大学学报》2005年第4期364-367,共4页Journal of Xi'an Jiaotong University

基  金:国家高技术研究发展计划资助项目(2001AA40213);国家自然科学基金资助项目(60243001);国家重点基础研究发展规划资助项目(2001CB309403).

摘  要:提出利用序列模式挖掘方法得到频繁入侵命令序列,将频繁入侵命令转换为底层入侵检测器的检测规则用于检测用户的可疑行为.为了消除误报,设计了一个基于入侵事件状态的关联引擎,将频繁入侵命令序列作为关联规则,并提出了一种新的入侵关联算法,该算法不仅考虑了每类主机入侵行为的序列特征,也反映了不同类型主机入侵行为之间的因果关系,体现了主机入侵行为的多样性和复杂性.实验结果表明,该入侵关联模型对各类主机入侵行为的检测效果良好,误报率明显降低,特别是下载类和信息获取类主机入侵行为的误报降低了20%左右.A sequence mining method to obtain the frequent intrusion command sequences executed by the intruders was presented. The frequent intrusion commands were transformed into the detection rules of the low-level intrusion detection sensor in order to detect the suspicious behaviors. To eliminate the false alarms, an efficient intrusion correlation engine based on intrusion incident context was designed and the frequent intrusion command sequences were used as the association rules. Moreover, a novel intrusion correlation algorithm was presented, which consider both the sequential relations of every host intrusion class and the causal relations of different host intrusion classes to compute the probability of the intrusions. The algorithm fully embodies the complexity and diversity of host intrusion activities. Experimental results show that this intrusion correlation model not only improves the detection rate but also reduces the false alarm rate of host intrusion activities, especially reducing about 20 percents of the false alarm rate of downloading tools activities and gathering system information activities of the intruders.

关 键 词:网络安全 入侵检测 主机入侵行为 序列模式挖掘 

分 类 号:TP393.3[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象