微信服务号

微信订阅号

2025年5月14日 20:35 星期三
首页 > 过刊浏览>2006年第17卷第3期 >463-471
PDF HTML阅读 XML下载 导出引用 引用提醒
基于 D-S证据理论的网络异常检测方法
作者:
基金项目:

Supported by the Science-Technology Project ofthe National"Tenth Five-Year-Plan"of China under Grant No.2001BA802B07(国家"十五"科技攻关计划);the"Microsoft Fellow"Plan(微软学者计划);the"IBM Ph.D.Fellowship"Plan(IBM博士生英才计划)

  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [23]
    • |
  • 相似文献 [20]
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    网络异常检测技术是入侵检测领域研究的热点内容,但由于存在着误报率较高、检测攻击范围不够全面、检测效率不能满足高速网络实时检测需求等问题,并未在实际环境中得以大规模应用.基于D-S证据理论,提出了一种网络异常检测方法,能够融合多个特征对网络流量进行综合评判,有效地降低了误报率和漏报率,并引入自适应机制,以保证在实时动态变化的网络中的检测准确度.另外,选取计算代价小的特征以及高效的融合规则,保证了算法的性能满足高速检测的要求.该方法已实现为网络入侵检测原型系统中的异常检测模块.通过DARPA 1999年IDS基准评测数据的实验评测表明,该方法在低误报率的前提下,达到了69%的良好检测率,这一结果优于DARPA 1999年入侵检测系统评测优胜者EMERALD的50%检测率和同期的一些相关研究成果.

    Abstract:

    Network anomaly detection has been an active research topic in the field of Intrusion Detection for many years, however, it hasn’t been widely applied in practice due to some issues. The issues include high false alarm rate, limited types of attacks the approach can detect, and that such approach can’t perform real-time intrusion detection in high speed networks. This paper presents a network anomaly detector based on Dempster-Shafer (D-S) evidence theory. The detector fuses multiple features of network traffic to decide whether the network flow is normal, and by such fusion it achieves low false alarm rate and missing rate. It also incorporates some self-adaptation mechanisms to yield high accuracy of detection in dynamic networks. Furthermore, light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm. On the 1999 DARPA/Lincoln Laboratory intrusion detection evaluation data set, this detector detects 69% attacks at low false alarm rate. Such result is better than the 50% detection rate of EMERALD—the winner of 1999 DARPA/Lincoln Laboratory intrusion detection evaluation, and results from other research projects.

    参考文献
    [1]Heberlein L,Dias GV,Levitt KN,Mukherjee B,Wood J,Wolber D.A network security monitor.In:Proc.of the IEEE Computer.Society Symp.Research in Security and Privacy.1990.296-304.http://seclab.cs.ucdavis.edu/papers/pdfs/th-gd-90.pdf
    [2]Valdes A,Skinner K.Adaptive,model-based monitoring for cyber attack detection.In:Debar H,Mé L,Wu SF,eds.Proc.of the 3rd Int'l Workshop on the Recent Advances in Intrusion Detection (RAID 2000).LNCS 1907,Heidelberg:Springer-Verlag,2000.80-92.
    [3]Staniford S,Hoagland JA,McAlerney JM.Practical automated detection of stealthy portscans.Journal of Computer Security,2002,10(1/2):105-136.
    [4]Mahoney VM.A machine learning approach to detecting attacks by identifying anomalies in network traffic[Ph.D.Thesis].Melbourne:Florida Institute of Technology,2003.
    [5]Wang K,Stolfo SJ.Anomalous payload-based network intrusion detection.In:Jonsson E,Valdes A,Almgren M,eds.Proc.of the 7th Int'l Symp.on Recent Advances in Intrusion Detection (RAID 2004).LNCS 3224,Heidelberg:Springer-Verlag,2004.203-222.
    [6]Krugel C,Toth T,Kirda E.Service specific anomaly detection for network intrusion detection.In:Lamont GB,Haddad H,Papadopoulos G,Panda B,eds.Proc.of the 2002 ACM Symp.on Applied Computing.New York:ACM Press,2002.201-208.
    [7]Lee W,Stolfo SJ.A framework for constructing features and models for intrusion detection systems.ACM Trans.on Information and System Security,2000,3(4):227-261.
    [8]Manikopoulos C,Papavassiliou S.Network intrusion and fault detection:A statistical anomaly approach.IEEE Communications Magazine,2002,40(10):76-82.
    [9]Zhang J,Gong J.An anomaly detection method based on fuzzy judgment.Journal of Computer Research and Development,2003,40(6):776-783 (in Chinese with English abstract).
    [10]Aickelin U,Greensmith J,Twycross J.Immune system approaches to intrusion detection-A review.In:Nicosia G,et al.,eds.Proc.of the 3rd Int'l Conf.on Artificial Immune Systems.LNCS 3239,Heidelberg:Springer-Verlag,2004.316-329.
    [11]Rao X,Dong CX,Yang SQ.An intrusion detection system based on support vector machine.Journal of Software,2003,14(4):798-803 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/14/798.htm
    [12]Li KL,Huang HK,Tian SF,Liu ZP,Liu ZQ.Fuzzy multi-class support vector machine and application in intrusion detection.Chinese Journal of Computers,2005,28(2):274-280 (in Chinese with English abstract).
    [13]Xiao Y,Han CH,Zheng QH,Wang Q.Network intrusion detection method based on multi-class support vector machine.Journal of Xi'an Jiaotong University,2005,39(6):562-565 (in Chinese with English abstract).
    [14]McHugh J.Testing intrusion detection systems:A critique of the 1998 and 1999 DARPA offline intrusion detection system evaluation as performed by lincoln laboratory.ACM Trans.on Information and System Security,2000,3(4):262-294.
    [15]Porras PA,Neumann PG.EMERALD:Event monitoring enabling responses to anomalous live disturbances.In:Proc.of the 20th National Information Systems Security Conf.Baltimore.1997.353-365.http://www.csl.sri.com/papers/emerald-niss97/
    [16]Dempster A.Upper and lower probabilities induced by multivalued mapping.Annals of Mathematical Statistics,1967,38(2):325-339.
    [17]Siaterlis C,Maglaris B.Towards multisensor data fusion for DoS detection.In:Haddad HM,Omicini A,Wainwright RL,Liebrock LM,eds.Proc.of the 2004 ACM Symp.on Applied Computing.New York:ACM Press,2004.439-446.
    [18]Orponen P.Dempster's rule of combination is #P-complete.Artificial Intelligence,1990,44(1-2):245-253.
    [19]Adamic LA,Huberman BA.Zipf's law and the Intemet.Glottometrics 3,2002.143-150.
    [9]张剑,龚俭.一种基于模糊综合评判的入侵异常检测方法.计算机研究与发展,2003,40(6):776-783.
    [11]饶鲜,董春曦,杨绍全.基于支持向量机的入侵检测系统.软件学报,2003,14(4):798-803.http://www.jos.org.cn/1000-9825/14/798.htm
    [12]李昆仑,黄厚宽,田盛丰,刘振鹏,刘志强.模糊多类支持向量机及其在入侵检测中的应用.计算机学报,2005,28(2):274-280.
    [13]肖云,韩崇昭,郑庆华,王清一种基于多分类支持向量机的网络入侵检测方法.西安交通大学学报,2005,39(6):562-565.
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

诸葛建伟,王大为,陈昱,叶志远,邹维.基于 D-S证据理论的网络异常检测方法.软件学报,2006,17(3):463-471

复制
分享
文章指标
  • 点击次数:4555
  • 下载次数: 8802
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2004-11-04
  • 最后修改日期:2005-07-11
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19939659位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号