基于直推式方法的网络异常检测方法
作者:
基金项目:

Supported by the National Natural Science Foundation of China under Grant No.60573134 (国家自然科学基金); the National Information Security 242 Project of China under Grant No.2005C39 (国家242信息安全计划项目)

  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [19]
  • |
  • 相似文献 [20]
  • |
  • 引证文献
  • | |
  • 文章评论
    摘要:

    网络异常检测技术是入侵检测领域研究的热点和难点内容,目前仍然存在着误报率较高、对建立检测模型的数据要求过高、在复杂的网络环境中由于"噪音"的影响而导致检测率不高等问题.基于改进的TCM-KNN(transductive confidence machines for K-nearest neighbors)置信度机器学习算法,提出了一种网络异常检测的新方法,能够在高置信度的情况下,使用训练的正常样本有效地对异常进行检测.通过大量基于著名的KDD Cup 1999数据集的实验,表明其相对于传统的异常检测方法在保证较高检测率的前提下,有效地降低了误报率.另外,在训练集有少量"噪音"数据干扰的情况下,其仍能保证较高的检测性能;并且在采用"小样本"训练集以及为了避免"维灾难"而进行特征选取等优化处理后,其性能没有明显的削减.

    Abstract:

    Network anomaly detection has been an active and difficult research topic in the field of intrusion detection for many years. Up to now,high false alarm rate,requirement of high quality data for modeling the normal patterns and the deterioration of detection rate because of some "noisy" data in the training set still make it not perform as well as expected in practice. This paper presents a novel network anomaly detection method based on improved TCM-KNN (transductive confidence machines for K-nearest neighbors) machine learning algorithm,which can effectively detect anomalies using normal data for training. A series of experiments on well known KDD Cup 1999 dataset demonstrate that it has lower false positive rate,especially higher confidence under the condition of ensuring high detection rate than the traditional anomaly detection methods. In addition,even provided with training dataset contaminated by "noisy" data,the proposed method still holds good detection performance. Furthermore,it can be optimized without obvious loss of detection performance by adopting small dataset for training and employing feature selection aiming at avoiding the "curse of dimensionality".

    参考文献
    [1]Bykova M,Ostermann S,Tjaden B.Detecting network intrusions via a statistical analysis of network packet characteristics.In:Proc.of the 33rd Southeastern Symp.on System Theory.2001.309-314.http://masaka.cs.ohiou.edu/papers/ssst2001.pdf
    [2]Denning DE.An intrusion-detection model.IEEE Trans.on Software Engineering,1987,13(2):222-232.
    [3]Lee W,Stolfo SJ.A framework for constructing features and models for intrusion detection systems.ACM Trans.on Information and System Security,2000,3(4):227-261.
    [4]Valdes A,Skinner K.Adaptive,model-based monitoring for cyber attack detection.In:Debar H,Mé L,Wu SF,eds.Proc.of the 3rd Int'l Workshop on the Recent Advances in Intrusion Detection (RAID 2000).LNCS 1907,Heidelberg:Springer-Verlag,2000.80-93.
    [5]Aickelin U,Greensmith J,Twycross J.Immune system approaches to intrusion detection-A review.In:Nicosia G,et al.,eds.Proc.of the 3rd Int'l Conf.on Artificial Immune Systems.LNCS 3239,Heidelberg:Springer-Verlag,2004.316-329.
    [6]Lee W,Stolfo SJ.A Data mining framework for building intrusion detection models.In:Gong L,Reiter MK,eds.Proc.of the '99 IEEE Symp.on Security and Privacy.Oakland:IEEE Computer Society Press,1999.120-132.
    [7]Eskin E,Arnold A,Prerau M,Portnoy L,Stolfo SJ.A geometric framework for unsupervised anomaly detection:detecting intrusions in unlabeled data.In:Barbarà D,Jajodia S,eds.Applications of Data Mining in Computer Security.Boston:Kluwer Academic Publishers,2002.78-99.
    [8]Proedru K,Nouretdinov I,Vovk V,Gammerman A.Transductive confidence machine for pattern recognition.In:Elomaa T,et al.,eds.Proc.of the 13th European Conf.on Machine Learning.LNAI 2430,Heidelberg:Springer-Verlag,2002.381-390.
    [9]Barbarà D,Domeniconi C,Rogers JP.Detecting outliers using transduction and statistical testing.In:Ungar L,Craven M,Gunopulos D,Eliassi-Rad T,eds.Proc.of the 12th ACM SIGKDD Int'l Conf.on Knowledge Discovery and Data Mining.New York:ACM Press,2006.55-64.
    [10]Angiulli F,Pizzuti C.Outlier mining in large high-dimensional data sets.IEEE Trans.on Knowledge and Data Engineering,2005,17(2):203-215.
    [11]Ghosh AK,Schwartzbard A.A study in using neural networks for anomaly and misuse detection.In:Proc.of the 8th USENIX Security Symp.1999.141-151.http://www.usenix.org/events/sec99/full_papers/ghosh/ghosh.ps
    [12]Manikopoulos C,Papavassiliou S.Network intrusion and fault detection:A statistical anomaly approach.IEEE Communications Magazine,2002,40(10):76-82.
    [13]Laskov P,Schafer C,Kotenko I.Intrusion detection in unlabeled data with quarter-sphere support vector machines.In:Proc.of the Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2004).2004.71-82.http://www2.informatik.hu-berlin.de/wm/journalclub/dimva2004.pdf
    [14]Li KL,Huang HK,Tian SF,Liu ZP,Liu ZQ.Fuzzy multi-class support vector machine and application in intrusion detection.Chinese Journal of Computers,2005,28(2):274-280 (in Chinese with English abstract).
    [15]Zhang J,Gong J.An anomaly detection method based on fuzzy judgment.Journal of Computer Research and Development,2003,40(6):776-783 (in Chinese with English abstract).
    [16]Zhuge JW,Wang DW,Chen Y,Ye ZY,Zou W.A network anomaly detector based on the D-S evidence theory.Journal of Software,2006,17(3):463-471 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/17/463.htm
    [14]李昆仑,黄厚宽,田盛丰,刘振鹏,刘志强.模糊多类支持向量机及其在入侵检测中的应用.计算机学报,2005,28(2):274-280.
    [15]张剑,龚俭.一种基于模糊综合评判的入侵异常检测方法.计算机研究与发展,2003,40(6):776-783.
    [16]诸葛建伟,王大为,陈昱,叶志远,邹维.基于D-S证据理论的网络异常检测方法.软件学报,2006,17(3):463-471.http://www.jos.org.cn/1000-9825/17/463.htm
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

李洋,方滨兴,郭莉,陈友.基于直推式方法的网络异常检测方法.软件学报,2007,18(10):2595-2604

复制
分享
文章指标
  • 点击次数:5004
  • 下载次数: 7027
  • HTML阅读次数: 0
  • 引用次数: 0
历史
  • 收稿日期:2006-10-10
  • 最后修改日期:2007-01-23
文章二维码
您是第19783522位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号