基于高斯混合模型的IPS日志异常IP地址检测技术研究  

作　　者：周峰 郭娴 林昕 赵汉青 Zhou Feng;Guo Xian;Lin Xin;Zhao Hanqing(China Center for Information Industry Development,Beijing,100036;Faculty of Electronic and Information Engineering,Xi’an Jiaotong University,Xi’an Shanxi,710049;China Industrial Control Systems Cyber Emergency Response Team,Beijing,100040;Research Center for Computer and Microelectronics Industry Development(China Software Testing Center),Beijing,100048)

机构地区：[1]中国电子信息产业发展研究院,北京100036 [2]西安交通大学电子与信息学部,陕西西安710049 [3]国家工业信息安全发展研究中心,北京100040 [4]中国软件评测中心(工业和信息化部软件与集成电路促进中心),北京100048

出　　处：《工业信息安全》2022年第4期32-38,共7页Industry Information Security

摘　　要：入侵防御系统(IPS)是一种广泛使用的安全系统,其将所阻止的攻击生成日志,供管理人员审查和进一步处理。然而,实际IPS日志中的大多数条目都不是攻击条目,这使得管理员无法通过简单的日志分析获得攻击者的IP地址。传统的日志分析方法依赖于管理员手动分析日志文本。因此,有必要使用异常检测方法进行分析。现有的大多数基于数据的异常自动检测方法,在保证计算要求和模型可解释性的前提下,无法获得令人满意的结果。采用高斯混合模型(GMM,Gaussian mixture model)对日志数据集上的异常IP地址进行检测。GMM方法提供了更好的检测结果,同时确保了相对较低的计算要求,并保持了模型的可解释性。实验表明,GMM方法检测IP地址异常的能力较强,是一种适合于基于日志数据的IP异常自动检测方法。The intrusion prevention system(IPS)is a widely used security system which generates logs for the attacks blocked by it for management personnel to review and conduct further processing.However,most of the entries in the actual IPS logs are not attack entries,which makes it impossible for us to obtain the attacker’s IP address through simple log analysis.The traditional log analysis methods rely on the administrator to manually analyze the log text.So it is necessary to use anomaly detection methods for analysis.The majority of existing log data-based automatic detection methods for anomalies cannot get an satisfying result while ensuring computational requirements and the interpretability of the model.This paper chose the Gaussian Mixture Model(GMM)to detect abnormal IP address on the log dataset.The GMM method provides better detection results while ensuring relatively low computational requirements,and maintains the interpretability of the model.Experiments show that the ability of GMM method to detect abnormal IP address is strong,and the GMM is a suitable log data-based automatic detection method for detecting abnormal IP address.

关 键 词：入侵防御系统(IPS) IP日志 IP异常检测 高斯混合模型 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]