本文選題：入侵檢測　切入點：特征降維　出處：《北京郵電大學》2016年博士論文　論文類型：學位論文

【摘要】：網絡技術在人們工作生活中的應用不斷深化,互聯網已成為承載海量數據信息的重要基礎設施,在為人們帶來巨大便利的同時,網絡攻擊如影隨形,網絡安全面臨嚴重威脅。入侵檢測和告警關聯是網絡安全技術體系中的重要組成部分,入侵檢測能夠通過收集和分析相關網絡數據及時發(fā)現攻擊行為,降低安全威脅,告警關聯能夠對多源信息進行融合分析,擴大入侵檢測范圍,提高告警質量。隨著網絡規(guī)模的擴大和網絡攻擊技術的多樣化、復雜化發(fā)展趨勢,待分析數據的維度和數量不斷增長,傳統(tǒng)的入侵檢測和告警關聯分析方法在處理海量高維數據方面面臨巨大挑戰(zhàn)。本文結合機器學習相關技術,以提高入侵檢測性能和告警關聯自動化程度為目標,在特征降維、數據流分類、異常檢測和關聯規(guī)則生成等方面開展研究,取得了一定的創(chuàng)新成果,主要研究工作如下:1.針對入侵檢測過程中處理海量高維數據費時費力、實時性不高的問題,結合粗糙集理論和主成分分析方法對特征降維開展研究。特征降維的目標是在不降低數據分類能力和表達能力的前提下減少特征維數、提高數據分析效率。本文結合粗糙集理論和主成分分析提出一種新的特征降維方法,利用區(qū)分矩陣和信息熵完成特征選擇,構造加權核函數完成特征映射和特征提取,結合兩種方法對原始數據特征進行多層次深度提取,獲取更為簡潔的高級特征表示,提高入侵檢測的實時性。2.分類是誤用檢測中經常用到的技術,通常利用標記數據完成分類模型的訓練,待分析數據的動態(tài)數據流特性以及標記數據獲取代價高的特點給傳統(tǒng)方法帶來了挑戰(zhàn)。針對該問題,本文提出一種基于判決反饋的數據流分類方法,首先基于集成學習方法,利用數據流中的標記數據塊訓練初始分類模型,并利用該模型對無標記數據類型進行初始判決,然后結合該判決結果訓練基于無標記數據的聚類模型,為數據分類提供約束信息,從而可將基于有監(jiān)督方式的集成分類模型擴展為半監(jiān)督方式,并基于模型一致性最大化的原則完成數據類型的精確判斷,達到利用無標記數據改善數據分類性能的目的。3.異常檢測通過建立正常用戶行為輪廓模型去判斷網絡入侵等異常行為,實際環(huán)境中正常行為數據集的純凈度和完備性很難保證,從而影響異常檢測模型的性能。針對該問題,本文結合主動學習提出一種基于半監(jiān)督方式的增強式單分類支持向量機異常檢測模型,該方法首先利用單分類支持向量機以無監(jiān)督方式建立異常檢測模型,然后結合主動學習的方法選取少量數據進行標記,利用標記數據信息將模型擴展為基于半監(jiān)督方式的單分類支持向量機模型,并對主動學習的選擇策略和終止條件進行了修正以兼顧數據純凈度和完備性需求,從而以較小的標記代價獲取較大的異常檢測性能提升。4.告警關聯是網絡安全領域研究熱點之一,通過預定義規(guī)則指令對安全設備上報的事件進行關聯分析,揭示隱藏在離散事件背后的有意義的聯系,該領域的研究多集中在關聯方法和規(guī)則表示上,而關聯規(guī)則的獲取更新多依賴于人工干預,從而限制了該方法的自適應性。針對該問題,本文提出了基于神經網絡和遺傳編程的關聯規(guī)則生成方法,該方法首先利用神經網絡模型完成基于攻擊場景的事件分類,根據分類結果提取規(guī)則項并產生訓練集,然后結合遺傳編程生成關聯規(guī)則并進行優(yōu)化,完成關聯規(guī)則的自動生成和更新,從而提升關聯分析方法的自動化程度和自適應能力。綜上所述,基于網絡攻擊日益復雜化和多樣化的背景,針對當前入侵檢測和告警關聯方法面臨的挑戰(zhàn),本文基于機器學習方法從特征提取、數據分類、異常檢測和關聯規(guī)則生成等方面進行了深入研究,提出了解決方案,并通過實驗驗證其可行性和準確性。本文研究成果有利于提高入侵檢測的效率和準確性,提升關聯分析的自動化程度和自適應能力,幫助人們從海量數據中更為實時準確地感知潛在威脅。
[Abstract]:The application of network technology in the work and life of the people is deepening, the Internet has become an important infrastructure carrying huge amounts of data, brings great convenience for people, network attacks, network security is facing a serious threat as the shadow follows the form,. Intrusion detection and alarm correlation is an important part in the system of network security technology, intrusion detection can collect and analysis of network data to detect attacks, reduce security threats, alarm correlation analysis of multi-source information fusion can expand the scope of intrusion detection, alarm, improve quality. With the diversification of network scale and the network attack technology, complex trend, dimension and quantity of data to be analyzed is growing, the traditional intrusion detection and alarm correlation analysis method is facing great challenges in the treatment of massive high-dimensional data based on machine learning. The related technology, in order to improve the performance of intrusion detection and alarm correlation degree of automation as the goal, in dimension reduction, data stream classification, to carry out the research on anomaly detection and association rule generation, has made some innovations, the main research work is as follows: 1. for the massive high-dimensional data processing time-consuming intrusion detection process, problem the real-time is not high, combined with principal component analysis theory and method of feature research of dimensionality reduction in rough set. The goal is to reduce the dimension of the feature without reducing the classification ability of data and skills under the premise of reducing dimension, improve the efficiency of data analysis. This paper combines the theory and principal component analysis, put forward a new feature reduction a method of rough set discernibility matrix and information entropy feature selection, weighted kernel function feature mapping and feature extraction of the original data, the features of multilayer combination of the two methods Time depth extraction, to obtain a more concise representation of advanced features to improve the real-time performance of.2., the classification of intrusion detection is often used in the detection of misuse of technology, usually by marking the data classification model training, to analysis of the dynamic data flow characteristics and labeled data to replace expensive features won a challenge. For the traditional method this problem, this paper proposes a flow classification method of decision feedback based on the data, based on the ensemble learning method, using the labeled data in the data stream block training initial classification model, and the initial judgment on unlabeled data types by using the model, and then combined with the judgment result of training unlabeled data clustering model based on constraint information for data classification, which can be based on the supervised classification model is extended to semi supervised methods, and based on the model of maximum consistency The principle accurately determine the type of data, achieve anomaly detection by establishing normal user behavior profile model to judge the network intrusion abnormal behavior without the use of labeled data to improve the classification performance data to.3., the purity and completeness of the normal behavior of the actual environment data set is very difficult to guarantee, which influences the performance of anomaly detection model for this. In this paper, the active learning provides an enhanced single SVM anomaly detection model based on semi supervised methods, using the method of single support vector machine classification based on unsupervised mode anomaly detection model, and then combined with the active learning methods are selected and labeled with a small amount of data, using labeled data information model is extended to vector machine model supports single semi supervised classification based on the way, and the selection strategy of active learning and termination conditions are modified In order to balance the purity and completeness of data demand, so as to obtain larger anomaly detection performance of.4. alert correlation is one of the hot research field of network security with less marked price, the correlation analysis of safety equipment for reporting events by predefined rules instructions, revealing the hidden in the discrete events behind the meaningful connections, much research in this field the association method and rule representation, and association rules to get updates depends on the manual intervention, thus limiting the adaptability of the method. Aiming at this problem, proposed by association rules and genetic programming network generation method based on God, using the method of neural network model to complete classification of attack scenarios based on event according to the classification, extraction rules and produce the training set, and then combined with genetic programming to generate association rules and optimize the complete Association The rules are automatically generated and updated, so as to enhance the degree of automation of the correlation analysis method and adaptive ability. To sum up, network attack has become increasingly complicated and diversified based on the background, in view of the current intrusion detection and alarm correlation method challenges the feature extraction, machine learning method based on data classification, in-depth research on anomaly detection and correlation rule generation and other aspects, proposed solutions, and its feasibility and accuracy are verified by experiments. The results of this study can improve the accuracy and efficiency of intrusion detection, lifting correlation analysis automation and adaptive ability, help people from massive data more accurately perceive the potential threat.

【學位授予單位】：北京郵電大學
【學位級別】：博士
【學位授予年份】：2016
【分類號】：TP393.08;TP181

【參考文獻】

相關期刊論文 前10條

1 陽時來;楊雅輝;沈晴霓;黃海珍;;一種基于半監(jiān)督GHSOM的入侵檢測方法[J];計算機研究與發(fā)展;2013年11期

2 張玲;白中英;羅守山;謝康;崔冠寧;孫茂華;;基于粗糙集和人工免疫的集成入侵檢測模型[J];通信學報;2013年09期

3 錢葉魁;陳鳴;葉立新;劉鳳榮;朱少衛(wèi);張晗;;基于多尺度主成分分析的全網絡異常檢測方法[J];軟件學報;2012年02期

4 朱永宣;單莘;郭軍;;入侵檢測系統(tǒng)中基于PCA和C-SSGA的雙向數據壓縮[J];哈爾濱工業(yè)大學學報;2009年09期

5 張昊;陶然;李志勇;蔡鎮(zhèn)河;;基于KNN算法及禁忌搜索算法的特征選擇方法在入侵檢測中的應用研究[J];電子學報;2009年07期

6 黎銘;周志華;;基于多核集成的在線半監(jiān)督學習方法[J];計算機研究與發(fā)展;2008年12期

7 龍軍;殷建平;祝恩;趙文濤;;針對入侵檢測的代價敏感主動學習算法[J];南京大學學報(自然科學版);2008年05期

8 李洋;方濱興;郭莉;陳友;;基于直推式方法的網絡異常檢測方法[J];軟件學報;2007年10期

9 李洋;方濱興;郭莉;田志宏;;基于主動學習和TCM-KNN方法的有指導入侵檢測技術[J];計算機學報;2007年08期

10 陳友;程學旗;李洋;戴磊;;基于特征選擇的輕量級入侵檢測系統(tǒng)[J];軟件學報;2007年07期

相關博士學位論文 前2條

1 姚遠;海量動態(tài)數據流分類方法研究[D];大連理工大學;2013年

2 鄭黎明;大規(guī)模通信網絡流量異常檢測與優(yōu)化關鍵技術研究[D];國防科學技術大學;2012年

，

本文編號：1580412