發(fā)布時(shí)間：2018-04-20 13:42

  本文選題：網(wǎng)絡(luò)安全 + 威脅溯源�。� 參考：《北京交通大學(xué)》2014年碩士論文

【摘要】：摘要：隨著信息技術(shù)的迅速發(fā)展,基于互聯(lián)網(wǎng)的網(wǎng)絡(luò)威脅給人們的社會生活帶來了重大挑戰(zhàn),為了給威脅信息溯源提供一些有效的思路和有益的參考,本文提出了一種基于入侵檢測系統(tǒng)報(bào)警信息和rootkit的威脅溯源方法和基于SVM的入侵檢測系統(tǒng)報(bào)警信息過濾方法,具體如下。 (1)基于入侵檢測系統(tǒng)和rootkit的威脅溯源方法。本文研究了威脅信息溯源中的網(wǎng)絡(luò)數(shù)據(jù)獲取技術(shù)、威脅行為檢測技術(shù)和P溯源技術(shù),分析了現(xiàn)有威脅溯源方法的不足,提出了一種基于入侵檢測系統(tǒng)報(bào)警信息和rootkit的威脅溯源方法。威脅溯源的關(guān)鍵是對攻擊包的發(fā)現(xiàn)、記錄和分析,在該方法中入侵檢測系統(tǒng)負(fù)責(zé)發(fā)現(xiàn)和記錄“肉雞”向受害者發(fā)送的攻擊包,rootkit通過對“肉雞”進(jìn)程以及會話的監(jiān)控來獲取攻擊者和“肉雞”之間的通信數(shù)據(jù),并將監(jiān)控結(jié)果及時(shí)回傳給威脅分析服務(wù)器。威脅分析人員對威脅分析服務(wù)器上的數(shù)據(jù)進(jìn)行時(shí)空相似性分析和知識庫關(guān)聯(lián)分析,并根據(jù)分析結(jié)果判斷攻擊者的真實(shí)位置。 (2)基于SVM的入侵檢測系統(tǒng)報(bào)警信息過濾方法。本文提出的威脅溯源方法面臨著一個技術(shù)難題,即現(xiàn)有入侵檢測系統(tǒng)普遍存在的誤警率過高問題。為了解決該難題,本文對入侵檢測系統(tǒng)的報(bào)警過濾問題進(jìn)行了分析研究,提出了一種利用支持向量機(jī)算法對入侵檢測系統(tǒng)的報(bào)警信息進(jìn)行過濾的方法。SVM分類器利用少數(shù)的支持向量來決定分類決策函數(shù),解決了報(bào)警過濾時(shí)存在的小樣本問題；由于計(jì)算的復(fù)雜度取決于支持向量的個數(shù),與報(bào)警數(shù)據(jù)的維數(shù)無關(guān),解決了高維數(shù)據(jù)計(jì)算時(shí)存在的維數(shù)災(zāi)難問題；利用核函數(shù)將原輸入空間的線性不可分?jǐn)?shù)據(jù)映射為高維空間中的線性可分?jǐn)?shù)據(jù),解決了報(bào)警數(shù)據(jù)在原輸入空間非線性的問題�；赟VM的入侵檢測系統(tǒng)報(bào)警信息過濾方法由模型訓(xùn)練和數(shù)據(jù)預(yù)測兩部分組成。模型訓(xùn)練包括解析命令行參數(shù),讀取訓(xùn)練樣本,選擇合適的懲罰系數(shù)、核函數(shù)和核參數(shù),統(tǒng)計(jì)樣本種類和每類樣本的數(shù)量,訓(xùn)練數(shù)據(jù)分組,利用序列最小優(yōu)化算法求解C-SVM分類器模型。數(shù)據(jù)預(yù)測包括讀取報(bào)警數(shù)據(jù)和根據(jù)模型訓(xùn)練得出的C-SVM分類器模型計(jì)算報(bào)警數(shù)據(jù)的決策值。理論分析和實(shí)驗(yàn)數(shù)據(jù)表明：在合理選擇核函數(shù)、核參數(shù)和訓(xùn)練數(shù)據(jù)集的情況下,該方法可有效降低入侵檢測系統(tǒng)的誤警率。 本論文的工作得到了國家自然科學(xué)基金(No.61172072,61271308)、北京市自然科學(xué)基金(No.4112045)、高等教育博士點(diǎn)基金(No.W11C100030)、北京科技計(jì)劃(No.Z121100000312024)和北京市教育委員會學(xué)科建設(shè)與研究生建設(shè)項(xiàng)目等課題的支持。圖29幅,表13個,參考文獻(xiàn)68篇。
[Abstract]:Absrtact: with the rapid development of information technology, Internet-based network threats have brought great challenges to people's social life, in order to provide some effective ideas and useful references for the traceability of threat information. This paper presents a threat traceability method based on intrusion detection system (IDS) alarm information and rootkit and an intrusion detection system alarm information filtering method based on SVM. 1) threat traceability method based on intrusion detection system and rootkit. In this paper, the network data acquisition technology, threat behavior detection technology and P traceability technology in the traceability of threat information are studied, and the shortcomings of the existing threat traceability methods are analyzed. A threat traceability method based on intrusion detection system (IDS) alarm information and rootkit is proposed. The key to traceability of threats is the discovery, recording and analysis of attack packets, In this method, the intrusion Detection system (IDS) is responsible for detecting and recording the attack packets sent by the "broiler" to the victim. The rootkit can obtain the communication data between the attacker and the "broiler" by monitoring the process and session of the "broiler". The monitoring results are sent back to the threat analysis server in time. Threat analysts perform spatio-temporal similarity analysis and knowledge base association analysis of the data on the threat analysis server, and determine the real location of the attacker based on the analysis results. 2) the alarm information filtering method of intrusion detection system based on SVM. The threat traceability method presented in this paper is faced with a technical problem, that is, the problem of high false alarm rate in existing intrusion detection systems. In order to solve this problem, the alarm filtering problem of intrusion detection system is analyzed and studied in this paper. This paper presents a method of filtering the alarm information of intrusion detection system by using support vector machine algorithm. SVM classifier uses a few support vectors to decide the classification decision function, which solves the problem of small sample in alarm filtering. Because the complexity of computation depends on the number of support vectors and is independent of the dimension of alarm data, the problem of dimensionality disaster in the computation of high-dimensional data is solved. The kernel function is used to map the linear inseparable data of the original input space to the linear separable data in the high-dimensional space, which solves the problem of the nonlinearity of the alarm data in the original input space. The alarm information filtering method of intrusion detection system based on SVM consists of two parts: model training and data prediction. Model training includes parsing command-line parameters, reading training samples, selecting appropriate penalty coefficients, kernel functions and kernel parameters, counting the sample types and the number of each type of samples, training data grouping. The C-SVM classifier model is solved by using the sequence minimum optimization algorithm. The data prediction includes reading the alarm data and calculating the decision value of the alarm data based on the C-SVM classifier model trained by the model. Theoretical analysis and experimental data show that this method can effectively reduce the false alarm rate of intrusion detection system under the condition of reasonable selection of kernel function, kernel parameters and training data set. The work of this thesis has been supported by the National Natural Science Foundation of China No. 61172072C61271308, the Natural Science Foundation of Beijing No. 4112045, the doctoral Program of higher Education No. W11C100030, the Science and Technology Plan of Beijing No. Z121100000312024) and the Project of discipline Construction and Postgraduate Construction of Beijing Education Commission. There are 29 figures, 13 tables and 68 references.
【學(xué)位授予單位】：北京交通大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前2條

1 方濱興;崔翔;王威;;僵尸網(wǎng)絡(luò)綜述[J];計(jì)算機(jī)研究與發(fā)展;2011年08期

2 蔡志平;劉書昊;王晗;曹介南;徐明;;高性能并行入侵檢測算法與框架[J];計(jì)算機(jī)科學(xué)與探索;2013年04期

，

本文編號：1778008