基于多维数据流挖掘技术的入侵检测模型与算法  被引量：25

作　　者：毛国君[1] 宗东军[1] 

机构地区：[1]北京工业大学计算机学院,北京100124

出　　处：《计算机研究与发展》2009年第4期602-609,共8页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60873145);国家"九七三"重点基础研究发展计划基金项目(2007CB311100)~~

摘　　要：网络访问数据有着数据流的高速、无穷达到的特点,所以利用传统多遍扫描数据库的挖掘技术来构建入侵检测模型是不可行的.针对网络访问数据流的特点,提出了一种基于多维数据流挖掘技术的入侵检测模型.此模型将传统的误用检测和异常检测两种入侵检测方法进行有机融合,因此能够克服目前广泛使用的误用检测方法无法检测新的攻击类型的缺点,并且也能够保持检测的高效性.网络访问数据记录的结构是复杂的,一个访问行为总是联系到许多属性,所以分析的难度很大.因此,引入多维频度等概念来解决网络数据流的模式表示和生成问题.同时,针对多维频度模式的特点,提出了一种新型数据结构MaxFP-Tree.在MaxFP-Tree的基础上,给出了一种高效的挖掘网络访问数据流的学习算法MaxFPinNDS.MaxFPinNDS采用衰减机制挖掘,可以快速地形成一个数据流的最近时期数据所隐含的最大频繁项目集.实验表明,设计的入侵检测模型是有效的.Network data are always high-speed and unlimited. Typical data mining methods, which always do multi-scanning to databases, do not fit in with constructing intrusion detection model for high-speed network data streams. Proposed in this paper is a new intrusion detection model based on mining muhi-dimension data streams. It combines anomaly detection mechanisms with misuse detection techniques, and thus it can mine new attack types as well as anomaly detection techniques do, and has a high detection efficiency like the misuse detection mechanism. In fact, a network access data stream has a complex structure, that is, an accessing behavior always needs a lot of attributes to express, and so analyzing a network access data stream is a hard work. Through using the multi- frequency technique, this paper solves the problems of pattern expression and generation for network access data streams. A new data structure called MaxFP-Tree is proposed, and a new algorithm called MaxFPinNDS to mime frequent patterns from data streams is designed. Due to using damped window techniques, the algorithm MaxFPinNDS can efficiently and effectively find out maximal frequent itemsets in recent period of a data stream. The experiment results show that the proposed algorithms and models are very effective to intrusion detection on network.

关 键 词：多维数据流 入侵检测 异常检测 误用检测 最大频繁项集 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]