基于有效载荷的多级实时入侵检测系统框架  被引量：3

作　　者：刘解放[1] 赵斌[2] 周宁[1] 

机构地区：[1]盐城工学院信息工程学院,盐城224051 [2]北京工业大学计算机学院,北京100022

出　　处：《计算机科学》2014年第4期126-133,共8页Computer Science

基　　金：国家自然科学基金(61272500)资助

摘　　要：网络入侵检测系统使用大量特征集来识别入侵,需要处理庞大的网络流量,目前大多数现有的系统缺乏实时异常检测能力。提出了一种基于有效载荷的多级实时入侵检测系统,它首先采用n-gram分析网络数据包有效载荷来构建特征模型,进行数据准备;其次采用3级迭代特征选择引擎进行特征子集选择,其中主成分分析用于数据的预处理,并结合累积能量、平行分析和碎石检验进行主成分选择;最后采用马氏距离图发现特征间及数据包间隐藏的相关性。马氏距离的差异性准则用来区分正常或攻击数据包。通过DARPA 99和GATECH数据集验证了该系统的有效性,用Web应用程序流量验证了其模型,用F值评估了其检测性能。与目前同类主流的两款入侵检测系统进行了对比试验,结果表明:该系统提高了检测精度,降低了误报率和计算复杂度。与中型企业网的真实场景相比,它具有1.3倍的高吞吐量。Intrusion detection systems use a lot of features sets to identify intrusions,so they need to deal with the huge network traffic.However,most of the existing systems lack real-time anomaly detection capability.This paper presented multilevel real-time payload-based intrusion detection system.It first uses n-gram to analyse network packet payload and build feature model for data preparation,and then uses 3-Level Iterative Feature Selection Engine for feature subset selection.Principal component analysis in 3LIFSEng is used for data preprocessing,and combining the cumulative energy,parallel analysis and gravel test,the principal component selection is made.Mahalanobis distance map is used to discover the hidden dependencies between packets and between features.Mahalanobis distance criteria is used to distinguish normal or attack data packets.DARPA 99 and GATECH datasets verify the system＇s validity.Web application traffic verifies its mode.F-value assesses its detection performance.Experimental results show that compared with the present mainstream two intrusion detection system,the system improves the detection accuracy and reduces the false positive rate and the computational complexity.Additionally,it has 1.3 time higher throughput in comparison with real scenario of medium sized enterprise network.

关 键 词：入侵检测 数据预处理 N-GRAM 主成分分析 马氏距离图 迭代特征选择 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]