發(fā)布時間：2018-04-19 22:22

  本文選題：入侵檢測 + 數(shù)據(jù)挖掘�。� 參考：《北京郵電大學》2014年博士論文

【摘要】：隨著因特網(wǎng)的快速普及,網(wǎng)絡已經(jīng)滲透到了人們?nèi)粘９ぷ骱蜕畹母鱾�方面。然而,隨之而來的各種安全威脅,對社會穩(wěn)定和經(jīng)濟發(fā)展帶來了不同程度的損害。作為主要安全技術之一,入侵檢測技術能夠在網(wǎng)絡攻擊造成廣泛的破壞前檢測到攻擊行為,從而為防御策略的制定提供重要依據(jù)。而網(wǎng)絡規(guī)模的不斷擴大,各種新的安全漏洞和網(wǎng)絡攻擊手段層出不窮,對入侵檢測系統(tǒng)的檢測性能提出了更高的要求。 數(shù)據(jù)挖掘是一種智能數(shù)據(jù)分析技術,能夠從大量數(shù)據(jù)中發(fā)現(xiàn)有用的知識。本文綜述了國內(nèi)外在基于數(shù)據(jù)挖掘的入侵檢測研究領域的最新進展,以基于數(shù)據(jù)挖掘的網(wǎng)絡入侵檢測關鍵技術為研究重點,對入侵檢測中的特征降維及樣本約簡、基于離群點挖掘的異常檢測方法、混合入侵檢測模型等方面進行了研究。本文的主要研究工作可歸納如下： (1)研究了特征降維技術在入侵檢測中的應用,設計了一種能夠適用于入侵檢測的特征提取方法。所謂特征降維,包含特征選擇和特征提取兩種方式,能夠降低表征數(shù)據(jù)的特征向量的維數(shù),從而使許多數(shù)據(jù)挖掘算法獲得更好的效果。本文在分析入侵檢測領域中的特征降維相關研究的基礎上,提出了一種基于簇中心距離和的特征提取方法。該方法利用數(shù)據(jù)集中各數(shù)據(jù)樣本與簇中心的一種特定關系——距離和,將表征數(shù)據(jù)樣本的原始特征向量從高維空間轉(zhuǎn)換到低維空間。文中的實驗表明了該特征提取方法在入侵檢測應用中的有效性。 (2)研究了樣本約簡技術在入侵檢測中的應用,設計了一種能夠適用于入侵檢測的樣本約簡方法。所謂樣本約簡,是數(shù)據(jù)約簡中的一種方式,用于縮減數(shù)據(jù)集中的樣本數(shù)量。與針對整個原始數(shù)據(jù)集的數(shù)據(jù)挖掘相比,使用約簡后得到的子集能夠降低數(shù)據(jù)挖掘成本和加快挖掘速度,有時甚至能夠取得更好的效果。為了能夠從原始數(shù)據(jù)集選出高質(zhì)量的樣本子集,本文提出了一種基于類中心的分層樣本約簡方法。該方法通過一個能夠衡量數(shù)據(jù)集中樣本相對于其所屬類別代表能力大小的指標,和一種基于類中心的數(shù)據(jù)集等分劃分策略,可以從原始訓練集中選出一個樣本子集,進而使用該子集來建立入侵檢測模型。文中的實驗結(jié)果表明該樣本約簡方法對入侵檢測應用是有效的。 (3)研究了離群點挖掘技術在入侵檢測中的應用,設計了一種基于離群點挖掘的異常檢測方法。通過離群點挖掘技術,能夠發(fā)現(xiàn)數(shù)據(jù)集中偏離大部分數(shù)據(jù)的離群值。本文在分析離群點挖掘技術在入侵檢測中相關研究的基礎上,提出了一種基于簇中心位置變化的異常檢測方法。該方法運用聚類算法從正常樣本集中提取參考樣本(簇中心)之后,通過目標樣本(可為訓練樣本或待檢測樣本)增加前后簇中心位置的變化情況,為該目標樣本賦予一個“離群程度分值”,并將離群程度分值大于一個異常閾值的待檢測樣本識別為異常樣本。文中的實驗結(jié)果表明該方法能夠以較高的檢測率完成網(wǎng)絡異常檢測任務。 (4)研究了混合入侵檢測模型的組成結(jié)構(gòu),設計了一種包含三個檢測模塊的兩層混合入侵檢測模型�；旌先肭謾z測模型結(jié)合了誤用檢測和異常檢測兩種檢測方法,因而其能夠結(jié)合兩者的優(yōu)點。本文在分析現(xiàn)有的幾類混合入侵檢測模型的組成結(jié)構(gòu)及優(yōu)缺點的基礎上,提出了一種包含兩個異常檢測模塊和一個誤用檢測模塊的兩層混合入侵檢測模型。在該混合入侵檢測模型中,兩個階段的檢測模塊相互合作,階段2的兩個檢測模塊分別能夠識別階段1的檢測模塊所產(chǎn)生的誤報和漏報。文中的實驗結(jié)果表明,該混合入侵檢測模型能夠以較低的誤報率和較高的檢測率完成入侵檢測任務。
[Abstract]:With the rapid popularization of the Internet, the network has penetrated into all aspects of people's daily work and life. However, the various security threats that followed have caused different degrees of damage to social stability and economic development. As one of the main security technologies, intrusion detection techniques can cause widespread damage before network attacks. The attack behavior is measured, which provides an important basis for the formulation of defense strategy. While the network scale is expanding, various new security vulnerabilities and network attacks emerge in endlessly, and higher requirements for the detection performance of the intrusion detection system are put forward.
Data mining is a kind of intelligent data analysis technology, which can find useful knowledge from a large number of data. This paper summarizes the latest progress in the research field of Intrusion Detection Based on data mining at home and abroad. The key technology of network intrusion detection based on data mining is the key point, and the feature reduction and sample reduction in intrusion detection are made. Anomaly detection methods based on outlier mining and mixed intrusion detection models are studied. The main research work in this paper can be summarized as follows:
(1) the application of feature reduction technology in intrusion detection is studied. A feature extraction method which can be applied to intrusion detection is designed. The so-called feature reduction, including two ways of feature selection and feature extraction, can reduce the dimension of characteristic vectors of the representation data, thus making a lot of data mining algorithms get better results. Based on the analysis of feature dimensionality correlation in intrusion detection, a feature extraction method based on cluster center distance is proposed, which uses a specific relationship between data samples and cluster centers, distance and, to transform the original eigenvectors representing data samples from high dimensional space to low dimension space. The experiments in this paper show the effectiveness of the feature extraction method in intrusion detection applications.
(2) the application of sample reduction in intrusion detection is studied. A sample reduction method which can be applied to intrusion detection is designed. The so-called sample reduction is a way of data reduction and is used to reduce the number of samples in the data set. Compared with the data mining for the entire original dataset, the subsets obtained after reduction are used. To reduce the cost of data mining and speed up the mining speed, sometimes even better results can be achieved. In order to be able to select a high quality sample subset from the original dataset, a hierarchical sample reduction method based on the class center is proposed. This method can be used to measure the data concentration sample relative to its category. The index of capacity size, and a classification strategy based on a class center based data set, can select a subset of samples from the original training set, and then use the subset to establish an intrusion detection model. The experimental results in this paper show that the sample reduction method is effective for the application of intrusion detection.
(3) the application of outlier mining in intrusion detection is studied, and an anomaly detection method based on outlier mining is designed. Through the outlier mining technology, the outliers can be found to deviate from most of the data. Based on the analysis of the related research of outlier mining technology in intrusion detection, this paper proposes a kind of outlier mining technology. An anomaly detection method based on the change of cluster center position. The method uses clustering algorithm to extract reference samples (cluster centers) from the normal sample set, and increases the position of the cluster center before and after the target sample (for the training sample or the sample to be detected), and gives a "outlier score" for the target sample, and will be outbound. The experimental results in this paper show that the method can complete the network anomaly detection task with a higher detection rate.
(4) the composition structure of the hybrid intrusion detection model is studied, and a hybrid intrusion detection model containing three detection modules is designed. The hybrid intrusion detection model combines the misuse detection and abnormal detection of two detection methods, so it can combine the advantages of the two. This paper analyzes several kinds of existing hybrid intrusion detection models in the present paper. On the basis of the structure and the advantages and disadvantages, a two layer hybrid intrusion detection model including two anomaly detection modules and a misuse detection module is proposed. In the hybrid intrusion detection model, the detection modules of the two stages are cooperating with each other, and the two detection modules of phase 2 can identify the detection module of the phase 1. The experimental results show that the hybrid intrusion detection model can achieve the task of intrusion detection with low false positive rate and high detection rate.

【學位授予單位】：北京郵電大學
【學位級別】：博士
【學位授予年份】：2014
【分類號】：TP393.08;TP311.13

【參考文獻】

相關期刊論文 前3條

1 羅守山,陳亞娟,宋傳恒,王自亮,鈕心忻,楊義先;基于用戶擊鍵數(shù)據(jù)的異常入侵檢測模型[J];北京郵電大學學報;2003年04期

2 王慶榮;鄭麗英;;基于混合比例方法抽樣用于入侵檢測[J];蘭州交通大學學報;2011年01期

3 張玲;白中英;羅守山;謝康;崔冠寧;孫茂華;;基于粗糙集和人工免疫的集成入侵檢測模型[J];通信學報;2013年09期

，

本文編號：1775004