在线自适应网络异常检测系统模型与算法  被引量：10

作　　者：魏小涛[1] 黄厚宽[2] 田盛丰[2] 

机构地区：[1]北京交通大学软件学院,北京100044 [2]北京交通大学计算机与信息技术学院,北京100044

出　　处：《计算机研究与发展》2010年第3期485-492,共8页Journal of Computer Research and Development

基　　金：国家自然科学基金项目(60442002)

摘　　要：随着因特网等计算机网络应用的增加,安全问题越来越突出,对具有主动防御特征的入侵检测系统的需求日趋紧迫.提出一个轻量级的在线自适应网络异常检测系统模型,给出了相关算法.系统能够对实时网络数据流进行在线学习和检测,在少量指导下逐渐构建网络的正常模式库和入侵模式库,并根据网络使用特点动态进行更新.在检测阶段,系统能够对异常数据进行报警,并识别未曾见过的新入侵.系统结构简单,计算的时间复杂度和空间复杂度都很低,满足在线处理网络数据的要求.在DARPAKDD99入侵检测数据集上进行测试,10%训练集数据和测试集数据以数据流方式顺序一次输入系统,在40s之内系统完成所有学习和检测任务,并达到检测率91.32%和误报率0.43%的结果.实验结果表明系统实用性强,检测效果令人满意,而且在识别新入侵上有良好的表现.The extensive usage of Internet and computer networks makes security a critical issue. There is an urgent need for network intrusion detection systems which can actively defend networks against the growing security threats. In this paper, a light weighted online adaptive network anomaly detection system model is presented. The related influence function based anomaly detection algorithm is also provided. The system can process network traffic data stream in real-time, gradually build up its local normal pattern base and intrusion pattern base under a little supervising of the administrator, and dynamically update the contents of the knowledge base according to the changing of the network application patterns. At the checking mode, the system can detect not only the learned intrusion patterns but also the unseen intrusion patterns. The model has a relatively simple architecture, which makes it efficient for processing online network traffic data. Also the detecting algorithm takes little computational time and memory space. The system is tested on the DARPA KDD 99 intrusion detection datasets. It scans 10% of the training dataset and the testing dataset only once. Within 40 seconds the system can finish the whole learning and checking tasks. The experimental results show that the presented model achieves a detection rate of 91.32% and a false positive rate of only 0.43%. It is also capable of detecting new type of intrusions.

关 键 词：网络入侵检测 在线自适应 影响度函数 数据流 异常检测 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]