發(fā)布時(shí)間：2018-05-17 05:09

  本文選題：流量矩陣 + 信息熵�。� 參考：《蘭州交通大學(xué)》2014年碩士論文

【摘要】：入侵檢測(cè)技術(shù)是繼防火墻和數(shù)據(jù)加密等傳統(tǒng)防護(hù)措施之后的一種具有主動(dòng)性的防護(hù)技術(shù)，如何有效的檢測(cè)出網(wǎng)絡(luò)中存在的干擾網(wǎng)絡(luò)性能的異常事件并正確地判別出網(wǎng)絡(luò)異常的類(lèi)型，以保證網(wǎng)絡(luò)的正常運(yùn)轉(zhuǎn)，成為網(wǎng)絡(luò)安全領(lǐng)域重要的研究課題之一。 網(wǎng)絡(luò)異常具有突發(fā)性、不可預(yù)知性和復(fù)雜性等特點(diǎn)，異常事件的發(fā)生通常會(huì)引起網(wǎng)絡(luò)流量特征屬性的改變，相應(yīng)地，任何網(wǎng)絡(luò)流量特征屬性的改變預(yù)示著若干個(gè)異常事件的發(fā)生。網(wǎng)絡(luò)流作為互聯(lián)網(wǎng)運(yùn)作和管理的一種重要形式，包含有網(wǎng)絡(luò)通信中源/目的IP地址、源/目的端口和服務(wù)協(xié)議等特征屬性的信息。流量矩陣作為網(wǎng)絡(luò)流的一種重要組織方式，通常具有近似周期的正常成分、異常成分和噪聲成分三種，對(duì)網(wǎng)絡(luò)流量各個(gè)成分進(jìn)行有效的分析處理成為入侵檢測(cè)系統(tǒng)對(duì)網(wǎng)絡(luò)異常進(jìn)行檢測(cè)和分類(lèi)研究的關(guān)鍵。本文將網(wǎng)絡(luò)中源-目的節(jié)點(diǎn)對(duì)之間的網(wǎng)絡(luò)流量構(gòu)建成矩陣形式作為入侵檢測(cè)系統(tǒng)重要輸入。 建立一種良好的網(wǎng)絡(luò)入侵檢測(cè)模型有助于更好的實(shí)現(xiàn)對(duì)網(wǎng)絡(luò)流量異常進(jìn)行分析處理，提高入侵檢測(cè)系統(tǒng)的檢測(cè)率，降低系統(tǒng)的誤報(bào)率。在研究傳統(tǒng)入侵檢測(cè)方法和原理的基礎(chǔ)上，本文設(shè)計(jì)出一種基于網(wǎng)絡(luò)流量矩陣的入侵檢測(cè)模型，將網(wǎng)絡(luò)流量矩陣作為異常分析對(duì)象，包含流量數(shù)據(jù)收集、粗糙流量數(shù)據(jù)預(yù)處理、流量異常檢測(cè)、流量異常分類(lèi)等多個(gè)功能模塊。為了實(shí)現(xiàn)對(duì)網(wǎng)絡(luò)異常更為準(zhǔn)確的預(yù)警與分類(lèi)功能，本文提出將基于PGM-NMF的異常檢測(cè)算法和基于聚類(lèi)分析的異常分類(lèi)算法分別用在異常檢測(cè)模塊和異常分類(lèi)功能模塊中。 在上述模型設(shè)計(jì)的基礎(chǔ)上，本文給出了基于流量矩陣入侵檢測(cè)算法具體的設(shè)計(jì)過(guò)程，通過(guò)信息熵算法對(duì)原始的網(wǎng)絡(luò)流量數(shù)據(jù)進(jìn)行預(yù)處理，，構(gòu)建基于信息熵的流量矩陣，并通過(guò)提出一種基于PGM-NMF的網(wǎng)絡(luò)流量異常檢測(cè)算法，實(shí)現(xiàn)對(duì)網(wǎng)絡(luò)流量正常子空間的構(gòu)建，在重構(gòu)誤差的基礎(chǔ)上，采用Q統(tǒng)計(jì)來(lái)判斷流量異常狀況。為了進(jìn)一步確定網(wǎng)絡(luò)異常的類(lèi)型，提出了一種基于聚類(lèi)分析的網(wǎng)絡(luò)異常分類(lèi)算法，將網(wǎng)絡(luò)異常聚類(lèi)分析結(jié)果與異常特征模式庫(kù)進(jìn)行匹配，達(dá)到準(zhǔn)確判斷出網(wǎng)絡(luò)異常類(lèi)型的目的。最后，論文通過(guò)仿真實(shí)驗(yàn)對(duì)網(wǎng)絡(luò)異常檢測(cè)和分類(lèi)性能進(jìn)行驗(yàn)證，相比于傳統(tǒng)入侵檢測(cè)方案，本文所設(shè)計(jì)的基于流量矩陣的網(wǎng)絡(luò)入侵檢測(cè)模型方案具有一定的優(yōu)越性。
[Abstract]:Intrusion detection technology is a kind of proactive protection technology after traditional protective measures such as firewall and data encryption. How to effectively detect the abnormal events that interfere with the network performance and correctly identify the types of network anomalies to ensure the normal operation of the network has become one of the important research topics in the field of network security. Network anomalies have the characteristics of sudden, unpredictable and complexity. The occurrence of abnormal events usually leads to the change of the characteristic attributes of network traffic. The change of characteristic attribute of any network traffic indicates the occurrence of several abnormal events. As an important form of Internet operation and management, network flow contains information of source / destination IP address, source / destination port and service protocol in network communication. As an important organization of network flow, flow matrix usually has three kinds of components: normal component, abnormal component and noise component, which are approximately periodic. Effective analysis and processing of each component of network traffic becomes the key of intrusion detection system (IDS) to detect and classify network anomalies. In this paper, the network traffic between the source and destination node pairs in the network is constructed into a matrix form as the important input of the intrusion detection system. Establishing a good network intrusion detection model is helpful to analyze and deal with the network traffic anomalies, improve the detection rate of intrusion detection system, and reduce the false alarm rate of the system. Based on the study of traditional intrusion detection methods and principles, this paper designs an intrusion detection model based on network traffic matrix, which takes network traffic matrix as anomaly analysis object, including traffic data collection, rough traffic data preprocessing. Flow anomaly detection, traffic anomaly classification and other functional modules. In order to achieve more accurate early warning and classification of network anomalies, this paper proposes to use anomaly detection algorithm based on PGM-NMF and anomaly classification algorithm based on clustering analysis in anomaly detection module and anomaly classification function module respectively. On the basis of the above model design, this paper gives the specific design process of intrusion detection algorithm based on traffic matrix. The information entropy algorithm is used to preprocess the original network traffic data, and the traffic matrix based on information entropy is constructed. A network traffic anomaly detection algorithm based on PGM-NMF is proposed to construct the normal subspace of network traffic. Based on the reconstruction error, Q statistics is used to judge the traffic anomaly. In order to further determine the types of network anomalies, a network anomaly classification algorithm based on clustering analysis is proposed. The results of network anomaly clustering analysis are matched with the abnormal feature pattern library, and the purpose of accurately judging the network anomaly types is achieved. Finally, the paper verifies the performance of network anomaly detection and classification through simulation experiments. Compared with the traditional intrusion detection scheme, the network intrusion detection model based on traffic matrix has some advantages.
【學(xué)位授予單位】：蘭州交通大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類(lèi)號(hào)】：TP393.08

【相似文獻(xiàn)】

相關(guān)期刊論文 前10條

1 劉奇有,程思遠(yuǎn);淺談網(wǎng)絡(luò)入侵檢測(cè)技術(shù)[J];電信工程技術(shù)與標(biāo)準(zhǔn)化;2003年08期

2 袁暉;;網(wǎng)絡(luò)入侵檢測(cè)的技術(shù)難點(diǎn)研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2006年06期

3 王宏偉;;關(guān)聯(lián)規(guī)則挖掘技術(shù)在網(wǎng)絡(luò)入侵檢測(cè)中的應(yīng)用[J];黃石理工學(xué)院學(xué)報(bào);2006年03期

4 王丁;李向宏;運(yùn)海紅;;對(duì)網(wǎng)絡(luò)入侵檢測(cè)的評(píng)估模型[J];應(yīng)用能源技術(shù);2006年05期

5 周荃;王崇駿;王s

本文編號(hào)：1900042