计算机应用 ›› 2015, Vol. 35 ›› Issue (2): 416-419.DOI: 10.11772/j.issn.1001-9081.2015.02.0416

• 信息安全 • 上一篇    下一篇

基于数据流的网络入侵实时检测框架

李艳红1,2, 李德玉1,2, 崔梦天3, 李华1,4   

  1. 1. 山西大学 计算机与信息技术学院, 太原 030006;
    2. 计算智能与中文信息处理教育部重点实验室(山西大学), 太原 030006;
    3. 西南民族大学 计算机科学与技术学院, 成都 610041;
    4. 石家庄铁道大学 数理系, 石家庄 050043
  • 收稿日期:2014-09-18 修回日期:2014-11-12 出版日期:2015-02-10 发布日期:2015-02-12
  • 通讯作者: 李德玉
  • 作者简介:李艳红(1977-),女,山西临汾人,讲师,博士研究生,主要研究方向:数据挖掘、机器学习; 李德玉(1965-),男,山西曲沃人,教授,博士,CCF会员,主要研究方向:智能计算、数据挖掘; 崔梦天(1972-),女,内蒙古乌兰浩特人,教授,博士,主要研究方向:可信软件、优化理论和算法; 李华(1978-),女,河北鹿泉人,讲师,博士研究生,主要研究方向:粒计算、数据挖掘。
  • 基金资助:

    国家自然科学基金资助项目(61272095,61175067,61303091,61379019,61403238);山西省自然科学基金资助项目(2012061015);山西省科技攻关项目(20110321027-02);山西省回国留学人员科研项目(2013-014)。

Real-time detection framework for network intrusion based on data stream

LI Yanhong1,2, LI Deyu1,2, CUI Mengtian3, LI Hua1,4   

  1. 1. School of Computer and Information Technology, Shanxi University, Taiyuan Shanxi 030006, China;
    2. Key Laboratory of Computational Intelligence and Chinese Information Processing of Ministry of Education, Shanxi University, Taiyuan Shanxi 030006, China;
    3. School of Computer Science and Technology, Southwest University for Nationalities, Chengdu Sichuan 610041, China;
    4. Department of Mathematics and Physics, Shijiazhuang Tiedao University, Shijiazhuang Hebei 050043, China
  • Received:2014-09-18 Revised:2014-11-12 Online:2015-02-10 Published:2015-02-12

摘要:

针对计算机网络访问请求具有实时到达以及动态变化的特点,为了实时检测网络入侵,并且适应网络访问数据的动态变化,提出一个基于数据流的网络入侵实时检测框架。首先,将误用检测模式与异常检测模式相结合,通过初始聚类建立由正常模式和异常模式构成的知识库;其次,采用数据点与数据簇之间的不相似性来度量网络访问数据与正常模式和异常模式的相似性,从而判定网络访问数据的合法性;最后,当网络访问数据流发生演化时,通过重新聚类来更新知识库以反映网络访问的最近状态。在入侵检测数据集KDDCup99上进行实验,当初始聚类的样本数为10000,缓冲区聚类的样本数为10000,调节系数为0.9时,召回率达到91.92%,误报率达到0.58%,接近传统非实时检测模式的结果,但整个学习和检测过程只需扫描网络访问数据一次,并引入了知识库的更新机制,在入侵检测的实时性和适应性方面更具有优势。

关键词: 数据流, 入侵检测, 聚类, 知识库, 信息熵

Abstract:

The access request for computer network has the characteristics of real-time and dynamic change. In order to detect network intrusion in real time and be adapted to the dynamic change of network access data, a real-time detection framework for network intrusion was proposed based on data stream. First of all, misuse detection model and anomaly detection model were combined. A knowledge base was established by the initial clustering which was made up of normal patterns and abnormal patterns. Secondly, the similarity between network access data and normal pattern and abnormal pattern was measured using the dissimilarity between data point and data cluster, and the legitimacy of network access data was determined. Finally, when network access data stream evolved, the knowledge base was updated by reclustering to reflect the state of network access. Experiments on intrusion detection dataset KDDCup99 show that, when initial clustering samples are 10000, clustering samples in buffer are 10000, adjustment coefficient is 0.9, the proposed framework achieves a recall rate of 91.92% and a false positive rate of 0.58%. It approaches the result of the traditional non-real-time detection model, but the whole process of learning and detection only scans network access data once. With the introduction of knowledge base update mechanism, the proposed framework is more advantageous in the real-time performance and adaptability of intrusion detection.

Key words: data stream, intrusion detection, clustering, knowledge base, information entropy

中图分类号: