發(fā)布時間：2018-04-14 05:32

  本文選題：入侵檢測 + 抽樣算法�。� 參考：《曲阜師范大學》2017年碩士論文

【摘要】：隨著網(wǎng)絡的發(fā)展,網(wǎng)絡的安全受到了越來越大的挑戰(zhàn)。越來越復雜的網(wǎng)絡入侵方式使得入侵檢測技術的研究得到了國際社會的高度重視。雖然入侵檢測技術在近年來獲得了飛速的發(fā)展,但是其誤報率和檢測率,以及對巨大的數(shù)據(jù)流量進行采集、存儲、分析等問題依舊是制約入侵檢測技術發(fā)展的關鍵問題。本文通過對入侵檢測系統(tǒng)的結構進行研究,發(fā)現(xiàn)影響入侵檢測系統(tǒng)準確性的關鍵是數(shù)據(jù)收集模塊和數(shù)據(jù)檢測模塊。在對數(shù)據(jù)收集模塊進行深入研究時,發(fā)現(xiàn)多掩碼抽樣算法具有很強的隨機性,能夠對流量進行縮減,但是其固定的抽樣率很難適應當今多變的高速網(wǎng)絡;在對數(shù)據(jù)檢測模塊進行深入研究時,發(fā)現(xiàn)基于k-近鄰算法的入侵檢測系統(tǒng)和基于單類支持向量機(OC-SVM)的入侵檢測監(jiān)測系統(tǒng)在誤報率和檢測率方面都各具有優(yōu)缺點,針對發(fā)現(xiàn)的問題,本文進行了改進。(1)針對多掩碼抽樣算法固定抽樣比率的問題,本文在其基礎上,提出了基于自適應的多掩碼抽樣算法。改進的算法首先需要設定一個最大閥值和一個最小閥值,在鏈路的流量急劇增加的情況下,如果在一定時間內捕獲的樣本數(shù)量大于最大閥值,那么算法便會相應的降低抽樣比率,防止占用過多的鏈路帶寬和計算、存儲資源;如果在一定時間內捕獲的樣本數(shù)量小于最小閥值,便增大抽樣比率,增強系統(tǒng)對網(wǎng)絡平穩(wěn)期的警覺性。使用NS-2仿真軟件,構建一個局域網(wǎng),添加多種流量。在某一個時刻,通過添加更多的應用層服務來瞬間增加鏈路流量,設定一個計數(shù)器來記錄收集到的數(shù)據(jù)分組的數(shù)量,并且在之后的某個時刻,通過減少應用層服務來瞬間降低鏈路流量,用改進的算法進行實驗,驗證了改進是有效可行的。(2)針對其高誤報率和漏檢率的問題,本文提出了一種基于k-近鄰法和單類支持向量機(OC-SVM)的入侵檢測方法。數(shù)據(jù)收集模塊收集到的數(shù)據(jù)首先經(jīng)過k-近鄰檢測模塊的篩選得到正常數(shù)據(jù)和異常數(shù)據(jù)兩個分組,由于k-近鄰方法具有較低的檢測率,因此在正常數(shù)據(jù)中摻雜著較多的未被檢測出來的異常數(shù)據(jù)。接下來將此正常數(shù)據(jù)集作為單類支持向量機的輸入,在其高檢測率的特點下,可以檢測出其中被漏掉的絕大部分異常數(shù)據(jù)。使用MATLAB對方案進行實驗證明,運用KDD CUP99公用數(shù)據(jù)集,選取訓練數(shù)據(jù)集和檢測數(shù)據(jù)集,然后通過對訓練集進行訓練建立模型,最后使用選取的檢測數(shù)據(jù)集對模型進行預測,驗證了這種新的方法具有高檢測率低誤報率的特點。
[Abstract]:With the development of network, the security of network is challenged more and more.More and more complex network intrusion methods make the research of intrusion detection technology highly valued by the international community.Although intrusion detection technology has been developed rapidly in recent years, its false alarm rate and detection rate, as well as the acquisition, storage and analysis of huge data flow are still the key problems restricting the development of intrusion detection technology.By studying the structure of intrusion detection system, this paper finds that the key to the accuracy of intrusion detection system is data collection module and data detection module.When the data collection module is deeply studied, it is found that the multi-mask sampling algorithm has a strong randomness and can reduce the traffic, but its fixed sampling rate is difficult to adapt to the changing high-speed network.When the data detection module is deeply studied, it is found that the intrusion detection system based on k- nearest neighbor algorithm and the intrusion detection system based on single class support vector machine (SVM) have both advantages and disadvantages in false alarm rate and detection rate.In order to solve the problem of fixed sampling ratio, this paper proposes an adaptive multi-mask sampling algorithm based on the problem of fixed sampling ratio.The improved algorithm first needs to set a maximum threshold and a minimum threshold. If the number of samples captured in a given time is larger than the maximum threshold, in the case of a sharp increase in the flow of the link,Then the algorithm will reduce the sampling ratio, prevent excessive link bandwidth and computation, and store resources. If the number of samples captured within a certain time is less than the minimum threshold, the sampling ratio will be increased.Enhance the system's alertness to the stationary period of the network.Use NS-2 simulation software, build a local area network, add a variety of traffic.At some point, by adding more application-layer services to instantly increase link traffic, set a counter to record the number of data packets collected, and at some point thereafter,By reducing the application layer service to reduce the link traffic instantaneously, the experiment with the improved algorithm shows that the improved algorithm is effective and feasible, aiming at the problem of high false alarm rate and false detection rate.In this paper, an intrusion detection method based on k- nearest neighbor method and single class support vector machine (SVM) is proposed.The data collected by the data collection module is first filtered by the k-nearest neighbor detection module to obtain two groups of normal data and abnormal data. Because of the low detection rate of the k-nearest neighbor method, the data collected by the data collection module is divided into two groups: normal data and abnormal data.Therefore, the normal data are mixed with more undetected abnormal data.Then the normal data set is used as the input of a single class support vector machine. Under the characteristics of high detection rate, most of the abnormal data can be detected.Using MATLAB to test the scheme, using KDD CUP99 common data set, selecting the training data set and detecting data set, then establishing the model by training the training set, finally using the selected detection data set to predict the model.It is verified that the new method has the characteristics of high detection rate and low false alarm rate.
【學位授予單位】：曲阜師范大學
【學位級別】：碩士
【學位授予年份】：2017
【分類號】：TP393.08

【參考文獻】

相關期刊論文 前8條

1 李琳;尚文利;姚俊;趙劍明;曾鵬;;單類支持向量機在工業(yè)控制系統(tǒng)入侵檢測中的應用研究綜述[J];計算機應用研究;2016年01期

2 周愛平;程光;郭曉軍;;高速網(wǎng)絡流量測量方法[J];軟件學報;2014年01期

3 張新有;曾華q，

本文編號：1747945