用于入侵检测及取证的冗余数据删减技术研究

摘要/Abstract

摘要： 近年来计算机犯罪逐年增多,并已成为影响国家政治、经济、文化等各个领域正常发展的重要因素之一。入侵检测技术与入侵取证技术对于打击计算机犯罪、追踪入侵、修补安全漏洞、完善计算机网络安全体系具有重要意义。但是,随着网络的普及以及计算机存储能力的提升,入侵检测及取证技术目前需要分析的往往是GB乃至TB级的海量数据,而且有用信息往往湮没在大量由正常系统行为触发的冗余事件之中。这无疑给分析过程带来了巨大的挑战,也使分析结果的准确性不高。因此,如何设计出一种自动冗余数据删减技术来提高入侵检测及取证方法的准确率及效率,是当前入侵检测和取证领域的关键问题之一。文中即对这方面已有的研究工作进行了综述,首先介绍了冗余数据删减技术的发展历程及其在医学数据分析等传统领域的应用,然后重点介绍了针对入侵检测和入侵取证的现有各种冗余数据删减方法,最后通过对当前冗余数据删除技术的比较,指出了该领域当前存在的问题及未来的研究方向。

关键词: 入侵检测,入侵取证,冗余数据删减

Abstract: For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers’ storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

Key words: Intrusion detection,Intrusion forensics,Redundant data reduction

钱勤,张瑊,张坤,伏晓,茅兵. 用于入侵检测及取证的冗余数据删减技术研究[J]. 计算机科学, 2014, 41(Z11): 252-258. https://doi.org/

QIAN Qin,ZHANG Jian,ZHANG Kun,FU Xiao and MAO Bing. Technical Study of Reducing Redundant Data for Intrusion Detection and Intrusion Forensics[J]. Computer Science, 2014, 41(Z11): 252-258. https://doi.org/

参考文献

[1] Guest G,MaCQueen K M.Data Reduction Techniques for Large Qualitative Data Sets [M]∥Namey E,Guest G,Thairu L,et al.Handbook for Team-based Qualitative Research.Lanham:Altamira Press,2008:137-162
[2] MacQueen KM,McLellan E,Metzger D,et al.What Is Community? An Evidence-based Definition for Participatory Public Health [J].American Journal of Public Health,2001,91(12):1929-1937
[3] Denzin N,Lincoln Y.Data Management and Analysis Methods[M]∥Ryan G ,Bernard R.Handbook of Qualitative Research.CA:Sage Press,2000:769-802
[4] Guest G,McLellan E.Distinguishing the Trees From the Forest:Applying Cluster Analysis to Thematic Qualitative Data [J].Field Methods,2003,15(2):186-201
[5] Barnett G,Danowski J.The Structure of Communication:ANetwork Analysis of the International Communication Association [J].Human Communication Resources,1992,19(2):264-285
[6] Richards D,Barnett G.Network Analysis of Message Content[M]∥Danowski J.Progress in Communication Science.Norwood N J :Ablex Publishing Corporation,1993:198-221
[7] Pool IDS.The Representational Model and Relevant ResearchMethods [M]∥Osgood C.Trends in Content Analysis.Urbana:University of Illinois Press,1959:33-88
[8] Aldenderfer M S ,Blashfield R K.Cluster Analysis[M].CA:Sage Press,1984:234-236
[9] Schiffman S,Reynolds SLM ,Young FW.Introduction to Multidimensional Scaling:Theory,Methods,and Applications [M].New York:Academic Press,1981:31-37
[10] Natick MA.ANTHROPAC 4.0 Methods Guide [M]∥Borgatti SP.Analytic Technologies.USA:Columbia Press,1996:137-143
[11] 范明,孟小峰.数据挖掘概念与技术[M].北京:机械工业出版社,2007:98-102
[12] Pietraszek T.Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection [C]∥French Riviera,France.Proceedings of RAID 2004.Heidelberg:Springer,2004:102-124
[13] Law KH,Kwok LF.IDS False Alarm Filtering Using KNN Classifier [C]∥Proceedings of WISA 2004.Leju Island,Korea,Heidelberg:Springer,2005:114-121
[14] Alharby A,Imai H.IDS False Alarm Reduction Using Continuous and Discontinuous Patterns [C]∥Proceedings of ACNS 2005.New York,USA,Heidelberg:Springer,2005:192-205
[15] Davenport M A,Baraniuk R G,Scott C D.Controlling False Alarms with Support Vector Machines [C]∥Proceedings of ICASSP 2006.Toulouse,France,New York:IEEE Press,2006:589-592
[16] Julisch K,Dacier M.Mining Intrusion Detection Alarms for Actionable Knowledge [C]∥Proceedings of KDD’02.Alberta,Canada,New York:ACM Press,2002:366-375
[17] Julisch K.Mining Alarm Clusters to Improve Alarm Handling Efficiency [C]∥Proceedings of ACSAC’01.Los Alamitos,CA,New York:IEEE Press,2001:12-21
[18] Julisch K.Clustering Intrusion Detection Alarms to SupportRoot Cause Analysis [J].ACM Transactions on Information and System Security,2003,6(4):443-471
[19] Manganaris S,Christensen M,Zerkle D,et al.A Data Mining Analysis of RTID Alarms [J].Computer Networks,2000,33(4):571-577
[20] Nehinbe JO.Optimized Clustering Method for Reducing Challenges of Network Forensics [C]∥ Proceedings of CEEC 2010 2nd.Colchester,UK,New York:IEEE Press,2010:1-6
[21] 刘静,赵宇驰.数据挖掘领域中的聚类分析[J].东北林业大学学报,2012,40(8):13-19
[22] Ertoz L,Eilertson E,Lazarevic A,et al.Detection of Novel Network Attacks Using Data Mining [C]∥Proceedings of DMSEC 2003.Melbourne,FL,USA,New York:IEEE Press,2003:1-10
[23] Dokas P,Ertoz L,Kumar V,et al.Data Mining for Network Intrusion Detection [C]∥Proceedings of NSF Workshop on Next Generation Data Mining.Baltimore,USA,Cambridge:AAAI/MIT Press,2002:21-30
[24] Fu Xiao,Xie Li.Using Outlier Detection to Reduce False Posi-tives in Intrusion Detection [C]∥Proceedings of NPC 2008.Shanghai,China,New York:IEEE Press,2008:26-33
[25] Iwan S.False Alert Reduction System using Outlier DetectionMethods [R].UK:University of Southampton,2010
[26] Axelsson S.The Base-Rate Fallacy and its Implications for the Difficulty of Intrusion Detection [C]∥Proceedings of 6th ACM Conference on Computer and Communications Security.Singapore,New York:ACM Press,1999:1-7
[27] Goldman R.A Stochastic Model for Intrusions [C]∥Proceedings of RAID 2002.Zurich,Switzerland,Heidelberg:Springer,2002:199-218
[28] Puttini R,Marrakchi Z,Me L.Bayesian Classification Model for Real-Time Intrusion Detection[C]∥Proceedings of 22th International Workshop on Bayesian Inference and Maximum Entropy Methods in Science and Engineering.Idaho,USA,2002:150-162
[29] Mukkamala S,Sung A H.Identifying Significant Features forNetwork Forensic Analysis Using Artificial Intelligence Techniques [J].International Journal on Digital Evidence,2003,1(4):1-17
[30] Liu Z Q,Lin D D,Feng D G.Fuzzy Decision Tree based Inference Techniques for Network Forensic Analysis [J].Journal of Software.2007,18(10):2635-2644
[31] Kim J S,Kim M,Noh B N.A Fuzzy Expert System for Network Forensics [C]∥Proceedings of the ICCSA 2004.Assisi,Italy,Heidelberg:Springer,2004:175-182
[32] Quinlan J R.Induction on decision trees [J].Machine Learning,1986,1(1):81-106
[33] Zadeh L A.Fuzzy Sets [J].Information and Control,1965(8):338-353
[34] Setnes M,Babuska R,Verbruggen HB.Rule-based Modeling:Precision and Transparency [J].IEEE Transaction on Systems,Man,and Cybernetics,1998,28(1):165-169
[35] Takagi T,Sugeno M.Fuzzy Identification of Systems and Its Applications to Modeling and Control [J].IEEE Transaction on Systems,Man,and Cybernetics,1985,15(1):116-132
[36] Hertz J,Krogh A,Palmer R G.Introduction to the Theory of Neural Computation [M].Boston,USA:Addison -Wesley,1991:18-30
[37] Demuth H,Beale M.Neural Network Toolbox User’s Guide[R].Math Works,Inc.Natick,MA,2000
[38] Sung AH.Ranking Importance of Input Parameters of Neural Networks [J].Expert Systems with Applications,1998,15(3/4):405-41
[39] Vladimir V N.The Nature of Statistical Learning Theory[M].Heidelberg:Springer,1995:98-99
[40] Joachims T.Estimating the Generalization Performance of aSVM Efficiently [C] ∥Proceedings of the 17th International Conference on Machine Learning.CA,USA,San Francisco:Morgan Kaufman,2000:431-438

Metrics

Viewed

Full text

Abstract

Cited

Shared

Discussed