本文選題：異常檢測 + 異常分值　； 參考：《中國民航大學(xué)》2015年碩士論文

【摘要】：近年來,網(wǎng)絡(luò)攻擊事件、網(wǎng)絡(luò)安全問題備受關(guān)注。網(wǎng)絡(luò)異常檢測作為一種主動的安全防御措施,由于它既可以檢測到已知攻擊,又可以檢測到未知的惡意攻擊,目前對異常檢測技術(shù)的研究已經(jīng)成為熱點。本文對三種常用的異常檢測模型:最大熵異常檢測模型、閾值隨機游走異常檢測模型、數(shù)據(jù)包報頭異常檢測模型進(jìn)行分析。發(fā)現(xiàn)它們計算量大、通用性差而且誤報率和漏報率高。本文結(jié)合馬爾可夫鏈(Markov Chain)對研究對象進(jìn)行研究,提出一種計算量小且通用性好的網(wǎng)絡(luò)異常檢測算法,并通過自適應(yīng)調(diào)整異常檢測系統(tǒng)的閾值,極大地降低了系統(tǒng)誤報率和漏報率。實時網(wǎng)絡(luò)異常檢測在工作時首先將輸入數(shù)據(jù)流轉(zhuǎn)換成有意義的、可量化的異常分值。隨后把這些分值與一個固定檢測閾值對比,從而分類為正常或異常。然而實時異常檢測系統(tǒng)的輸入隨著時間的推移會發(fā)生很大變化,采用固定閾值不能保證良好的異常檢測精度。針對這一問題,本文提出一種能夠依據(jù)網(wǎng)絡(luò)流量變化自適應(yīng)調(diào)整閾值的方法,論文主要開展了以下工作:首先,本文對異常分值的大量統(tǒng)計特征進(jìn)行分析,發(fā)現(xiàn)異常分值在正�；顒悠陂g呈現(xiàn)出一致的相關(guān)性衰減結(jié)構(gòu),而在發(fā)生異常行為時,這種依賴性關(guān)系會發(fā)生明顯的變化,據(jù)此把時間依賴性作為建模的一個重要指標(biāo)。然后,根據(jù)異常分值存在的相關(guān)性衰減的趨勢,本文分析并得出由異常分值的馬爾可夫性質(zhì)導(dǎo)致的該趨勢。因此本文采用馬爾可夫鏈對異常分值進(jìn)行建模,在建�；A(chǔ)上進(jìn)一步提出閾值自適應(yīng)檢測算法,并對算法的步驟和操作流程進(jìn)行了詳細(xì)的設(shè)計。在該方法中將不同的異常分值作為不同的狀態(tài),再對不同狀態(tài)之間的轉(zhuǎn)移構(gòu)造狀態(tài)轉(zhuǎn)移矩陣P,進(jìn)而使用之前的異常分值預(yù)測下一時刻的閾值,從而實現(xiàn)了閾值的自適應(yīng)調(diào)整。最后,本文將提出的閾值自適應(yīng)方法分別與三種異常檢測模型相結(jié)合,并通過三種公開的網(wǎng)絡(luò)流量數(shù)據(jù)集進(jìn)行評估實驗。結(jié)果表明了本論文提出的閾值自適應(yīng)算法的可行性、有效性,同時證明本文算法在無需人工干預(yù)的情況下能夠提供較高的檢測精度。
[Abstract]:In recent years, the network attack event, the network security question receives the attention. As an active security defense measure, network anomaly detection can detect both known attacks and unknown malicious attacks. At present, anomaly detection technology has become a hot topic. In this paper, three commonly used anomaly detection models: maximum entropy anomaly detection model, threshold random walk anomaly detection model and packet header anomaly detection model are analyzed. It is found that they have a large amount of calculation, poor generality and high false alarm rate and false alarm rate. In this paper, a network anomaly detection algorithm based on Markov chain (Markov chain) is proposed, which has low computational complexity and good generality, and the threshold of anomaly detection system is adjusted by adaptively adjusting the threshold value of anomaly detection system. The false alarm rate and false alarm rate of the system are greatly reduced. Real-time network anomaly detection first converts the input data stream into a meaningful quantifiable anomaly score. These scores are then compared with a fixed detection threshold to classify them as normal or abnormal. However, the input of real-time anomaly detection system will change greatly with the passage of time, and the use of fixed threshold can not guarantee a good accuracy of anomaly detection. In order to solve this problem, this paper proposes a method to adjust the threshold according to the network traffic changes. The main work of this paper is as follows: first, this paper analyzes a large number of statistical characteristics of abnormal scores. It is found that the abnormal score shows a consistent correlation attenuation structure during normal activity, but when abnormal behavior occurs, the dependence relationship will change obviously. Therefore, time dependence is regarded as an important index for modeling. Then, according to the trend of correlation attenuation of abnormal score, this paper analyzes and obtains the trend caused by the Markov property of abnormal score. In this paper, Markov chain is used to model the abnormal value. Based on the modeling, a threshold adaptive detection algorithm is proposed, and the steps and operation flow of the algorithm are designed in detail. In this method, different outliers are taken as different states, then the state transition matrix P is constructed for the transition between different states, and then the threshold of the next moment is predicted by using the previous outlier score, thus the adaptive adjustment of the threshold is realized. Finally, the proposed threshold adaptive method is combined with three kinds of anomaly detection models, and the evaluation experiments are carried out through three kinds of open network traffic data sets. The results show that the threshold adaptive algorithm proposed in this paper is feasible and effective. At the same time, it is proved that the proposed algorithm can provide high detection accuracy without manual intervention.
【學(xué)位授予單位】：中國民航大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2015
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 鄭黎明;鄒鵬;賈焰;韓偉紅;;網(wǎng)絡(luò)流量異常檢測中分類器的提取與訓(xùn)練方法研究[J];計算機學(xué)報;2012年04期

2 錢葉魁;陳鳴;葉立新;劉鳳榮;朱少衛(wèi);張晗;;基于多尺度主成分分析的全網(wǎng)絡(luò)異常檢測方法[J];軟件學(xué)報;2012年02期

3 朱應(yīng)武;楊家海;張金祥;;基于流量信息結(jié)構(gòu)的異常檢測[J];軟件學(xué)報;2010年10期

4 魏小濤;黃厚寬;田盛豐;;在線自適應(yīng)網(wǎng)絡(luò)異常檢測系統(tǒng)模型與算法[J];計算機研究與發(fā)展;2010年03期

5 夏正敏;陸松年;李建華;馬進(jìn);;基于自相似的異常流量自適應(yīng)檢測方法[J];計算機工程;2010年05期

6 王佳;李波;徐其志;;邊緣檢測中局部區(qū)域的動態(tài)閾值選取方法[J];計算機應(yīng)用研究;2010年02期

7 黑霞麗;;利用蜜罐提高NIDS的檢測性能[J];計算機應(yīng)用與軟件;2008年04期

8 李洋;方濱興;郭莉;陳友;;基于直推式方法的網(wǎng)絡(luò)異常檢測方法[J];軟件學(xué)報;2007年10期

9 諸葛建偉;王大為;陳昱;葉志遠(yuǎn);鄒維;;基于D-S證據(jù)理論的網(wǎng)絡(luò)異常檢測方法[J];軟件學(xué)報;2006年03期

10 孫知信;唐益慰;程媛;;基于改進(jìn)CUSUM算法的路由器異常流量檢測[J];軟件學(xué)報;2005年12期

相關(guān)博士學(xué)位論文 前2條

1 鄭黎明;大規(guī)模通信網(wǎng)絡(luò)流量異常檢測與優(yōu)化關(guān)鍵技術(shù)研究[D];國防科學(xué)技術(shù)大學(xué);2012年

2 郁繼鋒;基于數(shù)據(jù)挖掘的Web應(yīng)用入侵異常檢測研究[D];華中科技大學(xué);2011年

相關(guān)碩士學(xué)位論文 前7條

1 冶曉隆;基于自相似分析和特征分類的異常流量檢測技術(shù)研究[D];解放軍信息工程大學(xué);2013年

2 許倩;基于特征統(tǒng)計分析的異常流量檢測技術(shù)研究[D];解放軍信息工程大學(xué);2012年

3 魏松;基于UML的學(xué)生信息管理系統(tǒng)的設(shè)計與實現(xiàn)[D];南京理工大學(xué);2010年

4 李中魁;基于動態(tài)閾值的網(wǎng)絡(luò)流量異常檢測方法研究與實現(xiàn)[D];電子科技大學(xué);2010年

5 程亮;最大熵原理與最小熵方法在測量數(shù)據(jù)處理中的應(yīng)用[D];電子科技大學(xué);2008年

6 李憲東;基于最大熵原理的確定概率分布的方法研究[D];華北電力大學(xué)（北京）;2008年

7 王麗蘋;自適應(yīng)的分布式網(wǎng)絡(luò)入侵檢測及防御系統(tǒng)的研究與實現(xiàn)[D];西北大學(xué);2004年

，

本文編號：1917078