本文選題：入侵檢測　切入點：特征降維　出處：《北京郵電大學(xué)》2016年博士論文　論文類型：學(xué)位論文

【摘要】：網(wǎng)絡(luò)技術(shù)在人們工作生活中的應(yīng)用不斷深化,互聯(lián)網(wǎng)已成為承載海量數(shù)據(jù)信息的重要基礎(chǔ)設(shè)施,在為人們帶來巨大便利的同時,網(wǎng)絡(luò)攻擊如影隨形,網(wǎng)絡(luò)安全面臨嚴(yán)重威脅。入侵檢測和告警關(guān)聯(lián)是網(wǎng)絡(luò)安全技術(shù)體系中的重要組成部分,入侵檢測能夠通過收集和分析相關(guān)網(wǎng)絡(luò)數(shù)據(jù)及時發(fā)現(xiàn)攻擊行為,降低安全威脅,告警關(guān)聯(lián)能夠?qū)Χ嘣葱畔⑦M(jìn)行融合分析,擴(kuò)大入侵檢測范圍,提高告警質(zhì)量。隨著網(wǎng)絡(luò)規(guī)模的擴(kuò)大和網(wǎng)絡(luò)攻擊技術(shù)的多樣化、復(fù)雜化發(fā)展趨勢,待分析數(shù)據(jù)的維度和數(shù)量不斷增長,傳統(tǒng)的入侵檢測和告警關(guān)聯(lián)分析方法在處理海量高維數(shù)據(jù)方面面臨巨大挑戰(zhàn)。本文結(jié)合機(jī)器學(xué)習(xí)相關(guān)技術(shù),以提高入侵檢測性能和告警關(guān)聯(lián)自動化程度為目標(biāo),在特征降維、數(shù)據(jù)流分類、異常檢測和關(guān)聯(lián)規(guī)則生成等方面開展研究,取得了一定的創(chuàng)新成果,主要研究工作如下:1.針對入侵檢測過程中處理海量高維數(shù)據(jù)費時費力、實時性不高的問題,結(jié)合粗糙集理論和主成分分析方法對特征降維開展研究。特征降維的目標(biāo)是在不降低數(shù)據(jù)分類能力和表達(dá)能力的前提下減少特征維數(shù)、提高數(shù)據(jù)分析效率。本文結(jié)合粗糙集理論和主成分分析提出一種新的特征降維方法,利用區(qū)分矩陣和信息熵完成特征選擇,構(gòu)造加權(quán)核函數(shù)完成特征映射和特征提取,結(jié)合兩種方法對原始數(shù)據(jù)特征進(jìn)行多層次深度提取,獲取更為簡潔的高級特征表示,提高入侵檢測的實時性。2.分類是誤用檢測中經(jīng)常用到的技術(shù),通常利用標(biāo)記數(shù)據(jù)完成分類模型的訓(xùn)練,待分析數(shù)據(jù)的動態(tài)數(shù)據(jù)流特性以及標(biāo)記數(shù)據(jù)獲取代價高的特點給傳統(tǒng)方法帶來了挑戰(zhàn)。針對該問題,本文提出一種基于判決反饋的數(shù)據(jù)流分類方法,首先基于集成學(xué)習(xí)方法,利用數(shù)據(jù)流中的標(biāo)記數(shù)據(jù)塊訓(xùn)練初始分類模型,并利用該模型對無標(biāo)記數(shù)據(jù)類型進(jìn)行初始判決,然后結(jié)合該判決結(jié)果訓(xùn)練基于無標(biāo)記數(shù)據(jù)的聚類模型,為數(shù)據(jù)分類提供約束信息,從而可將基于有監(jiān)督方式的集成分類模型擴(kuò)展為半監(jiān)督方式,并基于模型一致性最大化的原則完成數(shù)據(jù)類型的精確判斷,達(dá)到利用無標(biāo)記數(shù)據(jù)改善數(shù)據(jù)分類性能的目的。3.異常檢測通過建立正常用戶行為輪廓模型去判斷網(wǎng)絡(luò)入侵等異常行為,實際環(huán)境中正常行為數(shù)據(jù)集的純凈度和完備性很難保證,從而影響異常檢測模型的性能。針對該問題,本文結(jié)合主動學(xué)習(xí)提出一種基于半監(jiān)督方式的增強(qiáng)式單分類支持向量機(jī)異常檢測模型,該方法首先利用單分類支持向量機(jī)以無監(jiān)督方式建立異常檢測模型,然后結(jié)合主動學(xué)習(xí)的方法選取少量數(shù)據(jù)進(jìn)行標(biāo)記,利用標(biāo)記數(shù)據(jù)信息將模型擴(kuò)展為基于半監(jiān)督方式的單分類支持向量機(jī)模型,并對主動學(xué)習(xí)的選擇策略和終止條件進(jìn)行了修正以兼顧數(shù)據(jù)純凈度和完備性需求,從而以較小的標(biāo)記代價獲取較大的異常檢測性能提升。4.告警關(guān)聯(lián)是網(wǎng)絡(luò)安全領(lǐng)域研究熱點之一,通過預(yù)定義規(guī)則指令對安全設(shè)備上報的事件進(jìn)行關(guān)聯(lián)分析,揭示隱藏在離散事件背后的有意義的聯(lián)系,該領(lǐng)域的研究多集中在關(guān)聯(lián)方法和規(guī)則表示上,而關(guān)聯(lián)規(guī)則的獲取更新多依賴于人工干預(yù),從而限制了該方法的自適應(yīng)性。針對該問題,本文提出了基于神經(jīng)網(wǎng)絡(luò)和遺傳編程的關(guān)聯(lián)規(guī)則生成方法,該方法首先利用神經(jīng)網(wǎng)絡(luò)模型完成基于攻擊場景的事件分類,根據(jù)分類結(jié)果提取規(guī)則項并產(chǎn)生訓(xùn)練集,然后結(jié)合遺傳編程生成關(guān)聯(lián)規(guī)則并進(jìn)行優(yōu)化,完成關(guān)聯(lián)規(guī)則的自動生成和更新,從而提升關(guān)聯(lián)分析方法的自動化程度和自適應(yīng)能力。綜上所述,基于網(wǎng)絡(luò)攻擊日益復(fù)雜化和多樣化的背景,針對當(dāng)前入侵檢測和告警關(guān)聯(lián)方法面臨的挑戰(zhàn),本文基于機(jī)器學(xué)習(xí)方法從特征提取、數(shù)據(jù)分類、異常檢測和關(guān)聯(lián)規(guī)則生成等方面進(jìn)行了深入研究,提出了解決方案,并通過實驗驗證其可行性和準(zhǔn)確性。本文研究成果有利于提高入侵檢測的效率和準(zhǔn)確性,提升關(guān)聯(lián)分析的自動化程度和自適應(yīng)能力,幫助人們從海量數(shù)據(jù)中更為實時準(zhǔn)確地感知潛在威脅。
[Abstract]:The application of network technology in the work and life of the people is deepening, the Internet has become an important infrastructure carrying huge amounts of data, brings great convenience for people, network attacks, network security is facing a serious threat as the shadow follows the form,. Intrusion detection and alarm correlation is an important part in the system of network security technology, intrusion detection can collect and analysis of network data to detect attacks, reduce security threats, alarm correlation analysis of multi-source information fusion can expand the scope of intrusion detection, alarm, improve quality. With the diversification of network scale and the network attack technology, complex trend, dimension and quantity of data to be analyzed is growing, the traditional intrusion detection and alarm correlation analysis method is facing great challenges in the treatment of massive high-dimensional data based on machine learning. The related technology, in order to improve the performance of intrusion detection and alarm correlation degree of automation as the goal, in dimension reduction, data stream classification, to carry out the research on anomaly detection and association rule generation, has made some innovations, the main research work is as follows: 1. for the massive high-dimensional data processing time-consuming intrusion detection process, problem the real-time is not high, combined with principal component analysis theory and method of feature research of dimensionality reduction in rough set. The goal is to reduce the dimension of the feature without reducing the classification ability of data and skills under the premise of reducing dimension, improve the efficiency of data analysis. This paper combines the theory and principal component analysis, put forward a new feature reduction a method of rough set discernibility matrix and information entropy feature selection, weighted kernel function feature mapping and feature extraction of the original data, the features of multilayer combination of the two methods Time depth extraction, to obtain a more concise representation of advanced features to improve the real-time performance of.2., the classification of intrusion detection is often used in the detection of misuse of technology, usually by marking the data classification model training, to analysis of the dynamic data flow characteristics and labeled data to replace expensive features won a challenge. For the traditional method this problem, this paper proposes a flow classification method of decision feedback based on the data, based on the ensemble learning method, using the labeled data in the data stream block training initial classification model, and the initial judgment on unlabeled data types by using the model, and then combined with the judgment result of training unlabeled data clustering model based on constraint information for data classification, which can be based on the supervised classification model is extended to semi supervised methods, and based on the model of maximum consistency The principle accurately determine the type of data, achieve anomaly detection by establishing normal user behavior profile model to judge the network intrusion abnormal behavior without the use of labeled data to improve the classification performance data to.3., the purity and completeness of the normal behavior of the actual environment data set is very difficult to guarantee, which influences the performance of anomaly detection model for this. In this paper, the active learning provides an enhanced single SVM anomaly detection model based on semi supervised methods, using the method of single support vector machine classification based on unsupervised mode anomaly detection model, and then combined with the active learning methods are selected and labeled with a small amount of data, using labeled data information model is extended to vector machine model supports single semi supervised classification based on the way, and the selection strategy of active learning and termination conditions are modified In order to balance the purity and completeness of data demand, so as to obtain larger anomaly detection performance of.4. alert correlation is one of the hot research field of network security with less marked price, the correlation analysis of safety equipment for reporting events by predefined rules instructions, revealing the hidden in the discrete events behind the meaningful connections, much research in this field the association method and rule representation, and association rules to get updates depends on the manual intervention, thus limiting the adaptability of the method. Aiming at this problem, proposed by association rules and genetic programming network generation method based on God, using the method of neural network model to complete classification of attack scenarios based on event according to the classification, extraction rules and produce the training set, and then combined with genetic programming to generate association rules and optimize the complete Association The rules are automatically generated and updated, so as to enhance the degree of automation of the correlation analysis method and adaptive ability. To sum up, network attack has become increasingly complicated and diversified based on the background, in view of the current intrusion detection and alarm correlation method challenges the feature extraction, machine learning method based on data classification, in-depth research on anomaly detection and correlation rule generation and other aspects, proposed solutions, and its feasibility and accuracy are verified by experiments. The results of this study can improve the accuracy and efficiency of intrusion detection, lifting correlation analysis automation and adaptive ability, help people from massive data more accurately perceive the potential threat.

【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2016
【分類號】：TP393.08;TP181

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 陽時來;楊雅輝;沈晴霓;黃海珍;;一種基于半監(jiān)督GHSOM的入侵檢測方法[J];計算機(jī)研究與發(fā)展;2013年11期

2 張玲;白中英;羅守山;謝康;崔冠寧;孫茂華;;基于粗糙集和人工免疫的集成入侵檢測模型[J];通信學(xué)報;2013年09期

3 錢葉魁;陳鳴;葉立新;劉鳳榮;朱少衛(wèi);張晗;;基于多尺度主成分分析的全網(wǎng)絡(luò)異常檢測方法[J];軟件學(xué)報;2012年02期

4 朱永宣;單莘;郭軍;;入侵檢測系統(tǒng)中基于PCA和C-SSGA的雙向數(shù)據(jù)壓縮[J];哈爾濱工業(yè)大學(xué)學(xué)報;2009年09期

5 張昊;陶然;李志勇;蔡鎮(zhèn)河;;基于KNN算法及禁忌搜索算法的特征選擇方法在入侵檢測中的應(yīng)用研究[J];電子學(xué)報;2009年07期

6 黎銘;周志華;;基于多核集成的在線半監(jiān)督學(xué)習(xí)方法[J];計算機(jī)研究與發(fā)展;2008年12期

7 龍軍;殷建平;祝恩;趙文濤;;針對入侵檢測的代價敏感主動學(xué)習(xí)算法[J];南京大學(xué)學(xué)報(自然科學(xué)版);2008年05期

8 李洋;方濱興;郭莉;陳友;;基于直推式方法的網(wǎng)絡(luò)異常檢測方法[J];軟件學(xué)報;2007年10期

9 李洋;方濱興;郭莉;田志宏;;基于主動學(xué)習(xí)和TCM-KNN方法的有指導(dǎo)入侵檢測技術(shù)[J];計算機(jī)學(xué)報;2007年08期

10 陳友;程學(xué)旗;李洋;戴磊;;基于特征選擇的輕量級入侵檢測系統(tǒng)[J];軟件學(xué)報;2007年07期

相關(guān)博士學(xué)位論文 前2條

1 姚遠(yuǎn);海量動態(tài)數(shù)據(jù)流分類方法研究[D];大連理工大學(xué);2013年

2 鄭黎明;大規(guī)模通信網(wǎng)絡(luò)流量異常檢測與優(yōu)化關(guān)鍵技術(shù)研究[D];國防科學(xué)技術(shù)大學(xué);2012年

，

本文編號：1580412