计算机应用 ›› 2010, Vol. 30 ›› Issue (07): 1771-1774.

• 信息安全 • 上一篇    下一篇

基于相对熵理论的多测度网络异常检测方法

张亚玲1,韩照国2,任姣霞1   

  1. 1. 西安理工大学
    2. 西安理工大学计算机科学与工程学院
  • 收稿日期:2010-01-06 修回日期:2010-03-09 发布日期:2010-07-01 出版日期:2010-07-01
  • 通讯作者: 张亚玲
  • 基金资助:
    国家自然科学基金资助项目;陕西省教育厅专项科学研究计划项目;陕西省教育厅专项科学研究计划项目

Method for network anomaly detection with multi-measure based on relative entropy theory

2,   

  • Received:2010-01-06 Revised:2010-03-09 Online:2010-07-01 Published:2010-07-01

摘要: 检测率低、误报率高和检测攻击范围不够全面已经成为制约网络异常检测发展的最大障碍,为了提高检测率,降低误报率,扩大检测攻击范围,提出了一种新的网络异常检测方法。首先,对网络流量进行统计分析并引入相对熵理论来表征测度对应的全概率事件;然后,通过加权系数融合多个测度相对熵而得到加权相对熵;最终,以综合的多测度加权相对熵作为网络异常判断的依据。实验数据采用DARPA1999测评数据集,实验结果表明该方法在低误报率的前提下,达到了较高的检测率。

关键词: 入侵检测, 异常检测, 相对熵理论, 测评数据

Abstract: Low detection rate, high false alarm rate and limited types of attacks which can be detected have become the biggest obstacle to the development of network anomaly detection. In order to improve the detection rate, reduce the false alarm rate and enlarge the area of detected attacks, a new method of network anomaly detection was proposed. Firstly, the network traffic was analyzed and the fullprobability events of measures were characterized by the introduction of relative entropy theory. Secondly, the weighted relative entropy was got by integrating relative entropy of multiple measures with weighted coefficients. Lastly, the standard to judge network anomaly finally was the comprehensive multimeasure weighted relative entropy. The experimental results on DARPA 1999 intrusion detection evaluation datasets show that the detector has a higher detection rate at lower false alarm rate and the result is better than other methods.

Key words: intrusion detection, anomaly detection, relative entropy theory, evaluation data