用于入侵检测及取证的冗余数据删减技术研究  被引量：12

作　　者：钱勤[1,2] 张瑊[2,3] 张坤[1] 伏晓[2,3] 茅兵[3] 

机构地区：[1]江苏省高级人民法院技术处,南京210024 [2]南京大学软件学院,南京210093 [3]南京大学计算机软件新技术国家重点实验室,南京210093

出　　处：《计算机科学》2014年第B11期252-258,共7页Computer Science

基　　金：国家自然科学基金项目(61100198/F0207);国家973项目(2010CB327903)资助

摘　　要：近年来计算机犯罪逐年增多,并已成为影响国家政治、经济、文化等各个领域正常发展的重要因素之一。入侵检测技术与入侵取证技术对于打击计算机犯罪、追踪入侵、修补安全漏洞、完善计算机网络安全体系具有重要意义。但是,随着网络的普及以及计算机存储能力的提升,入侵检测及取证技术目前需要分析的往往是GB乃至TB级的海量数据,而且有用信息往往湮没在大量由正常系统行为触发的冗余事件之中。这无疑给分析过程带来了巨大的挑战,也使分析结果的准确性不高。因此,如何设计出一种自动冗余数据删减技术来提高入侵检测及取证方法的准确率及效率,是当前入侵检测和取证领域的关键问题之一。文中即对这方面已有的研究工作进行了综述,首先介绍了冗余数据删减技术的发展历程及其在医学数据分析等传统领域的应用,然后重点介绍了针对入侵检测和入侵取证的现有各种冗余数据删减方法,最后通过对当前冗余数据删除技术的比较,指出了该领域当前存在的问题及未来的研究方向。For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers＇ storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

关 键 词：入侵检测 入侵取证 冗余数据删减 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]