【摘要】：隨著計算機網(wǎng)絡(luò)技術(shù)的高速發(fā)展和廣泛應(yīng)用,網(wǎng)絡(luò)安全問題引起了越來越多的關(guān)注。如何能夠快速、準確地識別已知攻擊和日益增多的新型攻擊,成為入侵檢測系統(tǒng)面臨的主要問題。相比于傳統(tǒng)的入侵檢測技術(shù),模式識別方法以其良好的推理能力,可以支持識別未知的、還未被描述的入侵行為,為基于機器學(xué)習(xí)的入侵檢測技術(shù)注入了新的活力。 傳統(tǒng)的模式識別系統(tǒng)往往只用一個分類器進行識別,因此要取得理想的檢測效果就要求這個分類器必須在所有的樣本特征上具備較好的區(qū)分能力,但單純的分類器很難滿足這樣的要求。因此本文考慮將多分類器組合技術(shù)應(yīng)用于入侵檢測領(lǐng)域,以提高入侵檢測系統(tǒng)的檢測性能。 本文的主要工作有： 1、在學(xué)習(xí)了前人研究的基礎(chǔ)上,本文提出了一種基于準確性和分類器差異性度量(Based on Accuracy and Diversity Measure, BADM)的多分類器選擇算法,通過選取具有較高分類精度和較大差異性的基分類器進行組合,來提高總體的檢測精度。在KDD CUP99數(shù)據(jù)集上的實驗表明,本文提出的基于準確性和差異性度量的多分類器選擇算法取得了良好的檢測效果,總體準確率比直接集成提高了0.3個百分點,并高于KDD CUP99競賽優(yōu)勝者的結(jié)果。 2. KDD CUP99數(shù)據(jù)集是目前入侵檢測研究領(lǐng)域的權(quán)威性數(shù)據(jù)。本文對該數(shù)據(jù)集進行了預(yù)處理操作,包括符號型特征值量化、歸一化處理和特征選擇等。實驗中通過對不同的搜索方法選取的特征子集進行比較,最后確定使用基于遺傳算法的特征選擇方法,并最終得到了實驗所需的訓(xùn)練集和測試集。 3、本文針對目前使用十分廣泛的Snort入侵檢測系統(tǒng)進行了改進,通過將文中提出的BADM算法以插件形式整合進Snort來提高Snort的檢測性能。文中設(shè)計了基于多分類器組合的Snort入侵檢測系統(tǒng),詳細介紹了系統(tǒng)的總體架構(gòu)、各模塊的功能以及實現(xiàn)方法等。 4、設(shè)計并實現(xiàn)了基于多分類器組合的Snort和Netfilter/Iptables聯(lián)動系統(tǒng),以解決入侵檢測系統(tǒng)無法有效實施攔截以及防火墻只能被動防御的缺陷。論文對搭建的聯(lián)動系統(tǒng)進行了測試,通過系統(tǒng)測試證明,該系統(tǒng)可以抵御基本的攻擊行為,并具有動態(tài)防御功能。因此本系統(tǒng)的設(shè)計能夠很好地滿足中小企業(yè)對網(wǎng)絡(luò)安全防御的需求,對構(gòu)建網(wǎng)絡(luò)安全防御體系具有積極的意義。
[Abstract]:With the rapid development and wide application of computer network technology, network security has attracted more and more attention. How to quickly and accurately identify the known attacks and the increasing number of new attacks has become the main problem of intrusion detection system (IDS). Compared with the traditional intrusion detection technology, the pattern recognition method, with its good reasoning ability, can support the recognition of unknown and undescribed intrusion behavior, which has injected new vitality into the intrusion detection technology based on machine learning. In traditional pattern recognition systems, only one classifier is used for recognition, so in order to achieve an ideal detection effect, the classifier must have a good ability to distinguish all the sample features. But the simple classifier is difficult to meet this requirement. Therefore, this paper considers the application of multi-classifier combination technology in intrusion detection, in order to improve the detection performance of intrusion detection system. The main work of this paper is as follows: 1. On the basis of previous studies, this paper proposes a multi-classifier selection algorithm based on accuracy and classifier difference metric (Based on Accuracy and Diversity Measure, BADM). In order to improve the detection accuracy, the base classifier with higher classification accuracy and greater difference is selected for combination. Experiments on KDD CUP99 data set show that the proposed multi-classifier selection algorithm based on accuracy and difference metric has achieved a good detection effect, and the overall accuracy rate is 0.3 percentage points higher than that of direct integration. And higher than the result of the winner of the KDD CUP99 contest. 2. KDD CUP99 dataset is the authoritative data in the field of intrusion detection. In this paper, the data set is preprocessed, including symbolic eigenvalue quantization, normalized processing and feature selection. By comparing the feature subsets selected by different search methods, the method of feature selection based on genetic algorithm is determined, and the training set and test set are obtained. 3. This paper improves the Snort intrusion detection system, which is widely used at present, and integrates the proposed BADM algorithm into Snort in the form of plug-in to improve the detection performance of Snort. In this paper, the Snort intrusion detection system based on multi-classifier combination is designed, and the system architecture, the function of each module and the implementation method are introduced in detail. 4. The Snort and Netfilter/Iptables linkage system based on multi-classifier combination is designed and implemented to solve the problems that intrusion detection system can not effectively implement interception and firewall can only defend passively. The test results show that the system can resist the basic attack behavior and has the function of dynamic defense. Therefore, the design of the system can meet the needs of the small and medium-sized enterprises to the network security defense, and has positive significance to the construction of the network security defense system.
【學(xué)位授予單位】：北京郵電大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2014
【分類號】：TP393.08

【參考文獻】

相關(guān)期刊論文 前7條

1 董小玲;信息安全的分水嶺——2000年世界信息安全問題回顧[J];計算機安全;2001年01期

2 鮑旭華;王衛(wèi)東;李鴻培;趙糧;;網(wǎng)絡(luò)攻擊與防范措施呈現(xiàn)新趨勢——《2011年安全回顧與展望》報告提要[J];計算機安全;2012年02期

3 谷雨;徐宗本;孫劍;鄭錦輝;;基于PCA與ICA特征提取的入侵檢測集成分類系統(tǒng)[J];計算機研究與發(fā)展;2006年04期

4 韓宏;楊靜宇;;多分類器組合及其應(yīng)用[J];計算機科學(xué);2000年01期

5 徐沖;王汝傳;任勛益;;基于集成學(xué)習(xí)的入侵檢測方法[J];計算機科學(xué);2010年07期

6 高平利;任金昌;;基于Snort入侵檢測系統(tǒng)的分析與實現(xiàn)[J];計算機應(yīng)用與軟件;2006年08期

7 郝紅衛(wèi);王志彬;殷緒成;陳志強;;分類器的動態(tài)選擇與循環(huán)集成方法[J];自動化學(xué)報;2011年11期

，

本文編號：2371634