基于序列的多步驟攻擊邏輯挖掘算法研究與實(shí)現(xiàn)
發(fā)布時(shí)間:2018-08-13 17:20
【摘要】:入侵檢測作為保護(hù)計(jì)算機(jī)網(wǎng)絡(luò)免受威脅的關(guān)鍵技術(shù)和重要手段,是網(wǎng)絡(luò)安全領(lǐng)域研究的熱點(diǎn)問題。隨著網(wǎng)絡(luò)技術(shù)的發(fā)展,新的攻擊類型層出不窮,特別是分布式攻擊或多步驟攻擊等復(fù)雜攻擊類型,不僅具有很好的隱藏性,而且往往具有更大的危害。 在對應(yīng)用系統(tǒng)的各種攻擊行為中,相同意圖的惡意行為往往具有不同的序列組合,導(dǎo)致現(xiàn)有入侵檢測系統(tǒng)在捕捉具有因果關(guān)系的惡意行為時(shí),很難還原出真實(shí)的攻擊場景。為了準(zhǔn)確找出多步驟攻擊中復(fù)雜的邏輯關(guān)系,本文重點(diǎn)研究了以序列分析為基礎(chǔ)的攻擊檢測方法。 首先研究了一種以IP等價(jià)類為基礎(chǔ)的行為抽取機(jī)制,,并對IP等價(jià)類大小的閾值進(jìn)行了分析,并給出了合理閾值選取原則,基于IP等價(jià)類可在不需任何參數(shù)與預(yù)先知識(shí)的條件下自動(dòng)地抽取網(wǎng)絡(luò)行為序列;然后基于報(bào)警關(guān)聯(lián)圖的方式對抽取的行為序列進(jìn)行描述,并在此基礎(chǔ)上基于滑動(dòng)窗口的N元語法關(guān)聯(lián)算法生成相異度矩陣,其中N元語法關(guān)聯(lián)算法用于適應(yīng)不同行為序列產(chǎn)生的變異、行為交錯(cuò)和長片段插入等現(xiàn)象;最后,通過流形學(xué)習(xí)的方式從大量的特征中提取具有意義的特征,并搭配各種分類算法找出可疑或惡意的行為序列。 本文在python環(huán)境下對上述工作進(jìn)行了仿真,給出了總體仿真結(jié)構(gòu)和模塊設(shè)計(jì)方案,在真實(shí)數(shù)據(jù)集Acer07上的實(shí)驗(yàn)結(jié)果表明,所實(shí)現(xiàn)的算法比目前的現(xiàn)有的結(jié)果具有更高的檢測精度。
[Abstract]:Intrusion detection, as a key technology and an important means to protect computer network from threats, is a hot topic in the field of network security. With the development of network technology, new attack types emerge in endlessly, especially the complex attack types such as distributed attack or multi-step attack, which not only have good concealment, but also have more harm. In all kinds of attacks on application system, malicious acts with the same intention often have different sequences combination, which makes it difficult for the existing intrusion detection system to restore the real attack scene when capturing the malicious behavior with causality. In order to find out the complex logic relation in multi-step attack, the attack detection method based on sequence analysis is studied in this paper. Firstly, a behavior extraction mechanism based on IP equivalence class is studied, and the threshold value of IP equivalent class size is analyzed, and the reasonable threshold selection principle is given. Based on the IP equivalence class, the network behavior sequence can be automatically extracted without any parameters and prior knowledge, and then the extracted behavior sequence can be described based on the alarm correlation graph. On this basis, N-meta syntax association algorithm based on sliding window is used to generate dissimilarity matrix, in which N-meta-syntax association algorithm is used to adapt to the variation of different behavior sequences, behavior interleaving and long segment insertion. Finally, The meaningful features are extracted from a large number of features by manifold learning, and the sequences of suspicious or malicious behaviors are found with various classification algorithms. In this paper, the above work is simulated under the python environment, and the overall simulation structure and the module design scheme are given. The experimental results on the real data set Acer07 show that the proposed algorithm has higher detection accuracy than the existing results.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
本文編號(hào):2181666
[Abstract]:Intrusion detection, as a key technology and an important means to protect computer network from threats, is a hot topic in the field of network security. With the development of network technology, new attack types emerge in endlessly, especially the complex attack types such as distributed attack or multi-step attack, which not only have good concealment, but also have more harm. In all kinds of attacks on application system, malicious acts with the same intention often have different sequences combination, which makes it difficult for the existing intrusion detection system to restore the real attack scene when capturing the malicious behavior with causality. In order to find out the complex logic relation in multi-step attack, the attack detection method based on sequence analysis is studied in this paper. Firstly, a behavior extraction mechanism based on IP equivalence class is studied, and the threshold value of IP equivalent class size is analyzed, and the reasonable threshold selection principle is given. Based on the IP equivalence class, the network behavior sequence can be automatically extracted without any parameters and prior knowledge, and then the extracted behavior sequence can be described based on the alarm correlation graph. On this basis, N-meta syntax association algorithm based on sliding window is used to generate dissimilarity matrix, in which N-meta-syntax association algorithm is used to adapt to the variation of different behavior sequences, behavior interleaving and long segment insertion. Finally, The meaningful features are extracted from a large number of features by manifold learning, and the sequences of suspicious or malicious behaviors are found with various classification algorithms. In this paper, the above work is simulated under the python environment, and the overall simulation structure and the module design scheme are given. The experimental results on the real data set Acer07 show that the proposed algorithm has higher detection accuracy than the existing results.
【學(xué)位授予單位】:西安電子科技大學(xué)
【學(xué)位級(jí)別】:碩士
【學(xué)位授予年份】:2014
【分類號(hào)】:TP393.08
【參考文獻(xiàn)】
相關(guān)期刊論文 前3條
1 穆成坡,黃厚寬,田盛豐,林友芳,秦遠(yuǎn)輝;基于模糊綜合評(píng)判的入侵檢測報(bào)警信息處理[J];計(jì)算機(jī)研究與發(fā)展;2005年10期
2 鄭凱梅;錢旭;;有監(jiān)督S-kv-Isomap在入侵檢測中的應(yīng)用[J];計(jì)算機(jī)工程與應(yīng)用;2010年03期
3 劉運(yùn);蔡志平;鐘平;殷建平;程杰仁;;基于條件隨機(jī)場的DDoS攻擊檢測方法[J];軟件學(xué)報(bào);2011年08期
本文編號(hào):2181666
本文鏈接:http://sikaile.net/guanlilunwen/ydhl/2181666.html
最近更新
教材專著
