计算机科学 ›› 2013, Vol. 40 ›› Issue (12): 192-196.
姚东,罗军勇,陈武平,尹美娟
YAO Dong,LUO Jun-yong,CHEN Wu-ping and YIN Mei-juan
摘要: 在网络骨干链路的高速、大数据量环境下,相对于正常数据,攻击及异常数据相对较少,进行实时入侵检测难度大。针对此问题,提出了一种基于改进非广延熵特征提取和双随机森林的实时入侵检测方法。利用非广延熵,提取出流量属性取值分布的多维特征,通过对非广延熵的改进来降低特征间的相关性。使用完整的特征样本集建立第一个随机森林检测模型,使用包含攻击数据的特征样本子集建立第二个随机森林检测模型,通过双随机森林检测算法实现对少量异常的有效检测。实验结果表明,该方法能够在有限流量信息的基础上获得较高的检测精确率和召回率,其时间和空间复杂度适当,适合于对骨干链路的实时入侵检测。
[1] Mai J,Chuah C N,Sridharan A,et al.Is sampled data sufficient for anomaly detection?[C]∥Proceedings of the 6th ACM SIGCOMM conference on Internet measurement.ACM,2006:165-176 [2] Zargar G R,Baghaie T.Category-Based Intrusion Detection Using PCA[J].Journal of Information Security,2012,3(4):259-271 [3] Liu Yang,Zhang Lin-feng,Guan Yong.Sketch-based Streaming PCA Algorithm for Network-wide Traffic Anomaly Detection[C]∥Distributed Computing Systems (ICDCS),2010IEEE 30th International Conference on.IEEE,2010:807-816 [4] Tang Jin,Cheng Yu,Zhou Chi.Sketch-based SIP flooding detection using Hellinger distance[C]∥Global Telecommunications Conference,2009,GLOBECOM 2009.IEEE,2009:1-6 [5] Li Ai-ping,et al.Detecting Hidden Anomalies Using Sketch for High-speed Network Data Stream Monitoring[J].Appl.Math,2012,6(3):759-765 [6] Hettich S,Bay S D.KDD cup 1999data [EB/OL].http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html,1999 [7] Wagner A,Plattner B.Entropy based worm and anomaly detection in fast IP networks[C]∥Enabling Technologies:Infrastructure for Collaborative Enterprise,2005,14th IEEE International Workshops on.IEEE,2005:172-177 [8] Lakhina A,Crovella M,Diot C.Diagnosing network-wide traffic anomalies[J].ACM SIGCOMM Computer Communication Review,ACM,2004,34(4):219-230 [9] Li Xin,et al.Detection and identification of network anomalies using sketch subspaces[C]∥Proceedings of the 6th ACM SIGCOMM conference on Internet measurement.ACM,2006:147-152 [10] 朱应武,杨家海,张金祥.基于流量信息结构的异常检测[J].软件学报,2010,21(10):2573-2583 [11] Ziviani A,Gomes A T A,Monsores M L,et al.Network anomalydetection using nonextensive entropy[J].Communications Letters,IEEE,2007,11(12):1034-1036 [12] Scherrer A,Larrieu N,Owezarski P,et al.Non-gaussian andlong memory statistical characterizations for internet traffic with anomalies[J].IEEE Transactions on Dependable and Secure Computing,2007,4(1):56-70 [13] Breiman L.Random forests[J].Machine learning,2001,45(1):5-32 [14] Mooney C Z,Duval R D.Bootstrapping:A nonparametric ap-proach to statistical inference[M].Sage Publications,Incorporated,1993 [15] Tellenbach B,Burkhart M,Sornette D,et al.Beyond shannon:Characterizing internet traffic with generalized entropy metrics[J].Passive and Active Network Measurement,2009:239-248 [16] Cisco Systems Inc.Netflow services solutions guide.http://www.cisco.com [17] Quinlan J R.Bagging,boosting and C4.5[C]∥Proceedings of the National Conference on Artificial Intelligence.1996:725-730 [18] Siraj M M,Maarof M A,Hashim S Z M.A Hybrid Intelligent Approach for Automated Alert Clustering and Filtering in Intrusion Alert Analysis[J].Journal of Computer Theory and Engineering,2009,1(5):539-45 [19] Panda M,Abraham A,Patra M R.A Hybrid Intelligent Approach for Network Intrusion Detection[J].Procedia Enginee-ring,2012,30:1-9 [20] http://www.ll.mit.edu/mission/communications/ist/corpara/ideval/data [21] http://tools.netsa.cert.org/SiLK [22] Witten I H,Frank E.Data Mining:Practical Machine Learning Tools and Techniques(second ed.)[M].Morgan Kaufmann Publishers,2005 |
No related articles found! |
|