首页 | 本学科首页   官方微博 | 高级检索  
相似文献
 共查询到20条相似文献,搜索用时 125 毫秒
1.
多步骤攻击是当前占据主流的攻击模式,但当前的入侵检测系统在检测这种攻击时存在告警冗余、告警孤立等问题.为解决这些问题,提出了一个验证-聚类-关联告警分析模型.该模型将验证、聚类、关联这3个告警分析环节结合在一起,逐层地对告警信息进行分析,通过验证过滤掉原始告警信息中的误报及无关信息,验证后的有效告警信息通过聚类生成无冗余的单步告警,再通过关联生成能描述攻击者意图的全局告警.对相关的算法与规则进行了描述,并通过几个实际的攻击场景验证了该模型的有效性.  相似文献   

2.
现有的利用入侵检测告警来构建攻击场景、识别多步攻击意图的方法存在着需要定义复杂的关联规则、过于依赖专家知识和难以发现完整场景等不足,为此提出了一种基于攻击行为序列模式挖掘方法的攻击意图识别技术.通过分析入侵告警的攻击行为序列,挖掘出多步攻击的行为模式,再进行在线的告警模式匹配和告警关联度计算来发现攻击者的攻击意图,预测攻击者的下一步攻击行为.实验结果表明,该方法可以有效的挖掘出攻击者的多步攻击行为模式,并能有效的实现在线的攻击意图识别.  相似文献   

3.
张连华 《微型电脑应用》2011,27(8):36-38,73
入侵检测系统的广泛使用产生了许多告警信息流,这些告警事件信息流基本上都是基于低层的攻击步骤检测,且具有较大的误告警率;各种分布式攻击进一步加剧了入侵检测系统告警事件信息流的复杂性。研究介绍了关联分析的基本原因、关联分析的基本概念,然后提出智能化入侵检测关联分析层次模型。该模型从误告警验证和抑制,到一个攻击一个告警,再到一个攻击过程对应一个场景刻画,形成一个层次。在不同的层次上,防御者对攻击的视图越来越清晰,从而为响应措施提供了精确的决策依据,进一步提高了整个入侵检测系统的智能性和可用性。  相似文献   

4.
李洪江  周保群  赵彬 《计算机工程》2008,34(17):173-175,185
为保证网络安全,布置入侵检测系统、防火墙、防病毒软件等安全产品易造成入侵检测系统的漏报和误报、防火墙的日志信息过于庞大等问题,导致整个系统的安全难以保证.该文提出一种安全事件综合分析处理系统,经过系统的事件收集与预处理、告警压制与聚合、攻击重构和关联结果分析及处理等过程,在一定程度上解决了入侵告警的误报和漏报问题,同时使得管理员更容易获得系统的整体安全状况.对系统中2种核心技术--压制聚合和攻击重构进行了描述.  相似文献   

5.
构建了一个基于数据挖掘的分布式入侵检测系统模型。采用误用检测技术与异常检测技术相结合的方法,利用数据挖掘技术如关联分析、序列分析、分类分析、聚类分析等对安全审计数据进行智能检测,分析来自网络的入侵攻击或未授权的行为,提供实时报警和自动响应,实现一个自适应、可扩展的分布式入侵检测系统。实验表明,该模型对已知的攻击模式具有很高的检测率,对未知攻击模式也具有一定的检测能力。  相似文献   

6.
基于数据挖掘的入侵检测系统智能结构模型   总被引:5,自引:5,他引:5  
伊胜伟  刘旸  魏红芳 《计算机工程与设计》2005,26(9):2464-2466,2472
为了提高对拒绝服务攻击、内存溢出攻击、端口扫描攻击和网络非法入侵等发现的有效性以及对海量的安全审计数据能进行智能化处理,采用数据挖掘的方法从大量的信息中提取有威胁的、隐蔽的入侵行为及其模式.将数据挖掘的聚类分析方法与入侵检测系统相结合,提出了一种入侵检测系统的智能结构模型.实验表明,它能够有效地从海量的网络数据中进行聚类划分,找到相关的入侵数据,从而提高对各种攻击类型网络入侵检测的效率.  相似文献   

7.
基于上下文验证的网络入侵检测模型   总被引:2,自引:0,他引:2  
大量误报引发的可信问题一直是入侵检测研究领域所面对的具有挑战性的未解技术难题之一.为了提高入侵检测系统的确定性和准确性,必须对其告警信息加以区分,滤除无效攻击导致的虚警,从而自动准确地识别有效攻击.由此,提出了一种基于上下文验证的网络入侵检测模型,结合环境上下文、弱点上下文、反馈上下文和异常上下文等多种上下文信息,构建了一个以上下文为中心、多种验证技术相结合的高效、稳定、完整、易管理、可扩充的虚警处理平台,实现了告警的自动验证以及攻击行为能否成功地自动判定,从而达到滤除虚警的目的,使入侵检测系统起到真正的预警作用.  相似文献   

8.
提出了一种新的攻击场景挖掘算法.该算法建立在对高级告警的进一步分析和处理之上,通过统计挖掘找出概率统计上的弱关联攻击链,再对这些攻击链进行进一步的关联分析,从而构建出真实攻击场景模型.该方法较之大多数需要定义复杂的关联规则的方法而言更容易实现,并具有一定的独创性.初步的实验结果证明该方法能有效地挖掘出攻击场景模型,并能用于发现新的攻击场景.  相似文献   

9.
基于数据挖掘的入侵检测告警关联分析研究   总被引:2,自引:0,他引:2  
关联分析技术能够大大减少报警的数量、降低入侵检测误报警率 (false positive)和适当减少入侵检测漏报率 (falsenegative)。所以在入侵检测系统中引入报警关联分析功能具有重要的实际意义。目前入侵检测报警关联分析技术获得了广泛的研究。基于数据挖掘的入侵检测告警关联分析能够自动提取关联规则 ,分析告警并发现新的入侵模式 ,是一种智能性较强的解决方法。本文对基于数据挖掘的入侵检测告警关联分析进行了较详细的研究。  相似文献   

10.
入侵检测系统作为保护网络安全的重要工具已被广泛使用,其通常产生大量冗余度高、误报率高的告警。告警关联分析通过对底层告警进行综合分析与处理,揭示出其中包含的多步攻击行为。许多告警关联方法通过在历史告警中挖掘频繁模式来构建攻击场景,方法容易受冗余告警、误报影响,挖掘出的多步攻击链在某些情况下不能反映出真实的多步攻击行为。为此,提出一种基于多因素的多步攻击关联方法。通过聚合原始告警以得到超级告警,降低冗余告警带来的影响;将超级告警构造成超级告警时间关系图,同时结合超级告警间的多因素关联度评价函数从时间关系图中挖掘出多步攻击场景。实验结果表明,该方法能克服冗余告警及大部分误报带来的负面影响、有效地挖掘出多步攻击链。  相似文献   

11.
A hybrid intrusion detection system design for computer network security   总被引:1,自引:0,他引:1  
Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.  相似文献   

12.
While many commercial intrusion detection systems (IDS) are deployed, the protection they afford is modest. State-of-the-art IDS produce voluminous alerts, most false alarms, and function mainly by recognizing the signatures of known attacks so that novel attacks slip past them. Attempts have been made to create systems that recognize the signature of “normal,” in the hope that they will then detect attacks, known or novel. These systems are often confounded by the extreme variability of nominal behavior. The paper describes an experiment with an IDS composed of a hierarchy of neural networks (NN) that functions as a true anomaly detector. This result is achieved by monitoring selected areas of network behavior, such as protocols, that are predictable in advance. While this does not cover the entire attack space, a considerable number of attacks are carried out by violating the expectations of the protocol/operating system designer. Within this focus, the NNs are trained using data that spans the entire normal space. These detectors are able to recognize attacks that were not specifically presented during training. We show that using small detectors in a hierarchy gives a better result than a single large detector. Some techniques can be used not only to detect anomalies, but to distinguish among them  相似文献   

13.
鉴于DDoS攻击分布式、汇聚性的特点,实现分布在大规模网络环境中的多个IDS系统间合作检测有助于在攻击流形成规模前合成攻击全貌并适当反应.MDCI系统首次提出了环形合作模式,即构建一个环重要网络信息资源的IDS系统合作组,通过组内节点同信息共享和警报关联分析,迅速判定DDoS攻击、MDCI系统中,采用报头内容分析和反向散射分析相结合的方法对本地捕获的数据报进行分析并采用统一标准格式对可疑特征进行报警;采用数据流分类概率评估的方法实现合作结点间警报信息的关联分析,从而合成攻击的全貌.通过实验可以看到,该系统有效地提高了针对DDoS攻击的预警速度.  相似文献   

14.
Information systems are one of the most rapidly changing and vulnerable systems, where security is a major issue. The number of security-breaking attempts originating inside organizations is increasing steadily. Attacks made in this way, usually done by "authorized" users of the system, cannot be immediately traced. Because the idea of filtering the traffic at the entrance door, by using firewalls and the like, is not completely successful, the use of intrusion detection systems should be considered to increase the defense capacity of an information system. An intrusion detection system (IDS) is usually working in a dynamically changing environment, which forces continuous tuning of the intrusion detection model, in order to maintain sufficient performance. The manual tuning process required by current IDS depends on the system operators in working out the tuning solution and in integrating it into the detection model. Furthermore, an extensive effort is required to tackle the newly evolving attacks and a deep study is necessary to categorize it into the respective classes. To reduce this dependence, an automatically evolving anomaly IDS using neuro-genetic algorithm is presented. The proposed system automatically tunes the detection model on the fly according to the feedback provided by the system operator when false predictions are encountered. The system has been evaluated using the Knowledge Discovery in Databases Conference (KDD 2009) intrusion detection dataset. Genetic paradigm is employed to choose the predominant features, which reveal the occurrence of intrusions. The neuro-genetic IDS (NGIDS) involves calculation of weightage value for each of the categorical attributes so that data of uniform representation can be processed by the neuro-genetic algorithm. In this system unauthorized invasion of a user are identified and newer types of attacks are sensed and classified respectively by the neuro-genetic algorithm. The experimental results obtained in this work show that the system achieves improvement in terms of misclassification cost when compared with conventional IDS. The results of the experiments show that this system can be deployed based on a real network or database environment for effective prediction of both normal attacks and new attacks.  相似文献   

15.
As the use of intrusion detection systems (IDSs) continues to climb and as researchers find more ways to detect attacks amid a vast ocean of data. The problem of testing IDS solutions has reared its ugly bead. Showing that one technique is better than another or training an IDS about normal usage requires test data. As it turns out, collecting or creating such a data set is something of a catch-22. If the data already contains attacks, researchers will train the IDS to see the attacks as normal; the IDS could then fail to register them as malicious events in the future. The most efficient way, however, to determine whether a large data set contains malicious events is to scan it with existing IDS. Thus, any attacks that the existing IDS fails to find are presented to the new IDS as normal data leading to potential false negatives. Clearly, breaking this cycle requires an independent source of verifiable attack-free training data with which to train IDSs.  相似文献   

16.
一种基于移动Agent的抗攻击性IDS模型   总被引:2,自引:0,他引:2  
随着入侵检测系统(Inhusion Detection System——IDS)性能的逐步提高,攻击者往往在入侵目标网络之前攻击IDS,使其丧失保护功能。在当前常用的分布式入侵检测系统的基础上,提出了一种能够对抗拒绝服务(Denial of Service——DoS)攻击的IDS模型,并指出了将当前的分布式IDS转换成此模型的配置方法。  相似文献   

17.
The Internet connects hundreds of millions of computers across the world running on multiple hardware and software platforms providing communication and commercial services. However, this interconnectivity among computers also enables malicious users to misuse resources and mount Internet attacks. The continuously growing Internet attacks pose severe challenges to develop a flexible, adaptive security oriented methods. Intrusion detection system (IDS) is one of most important component being used to detect the Internet attacks. In literature, different techniques from various disciplines have been utilized to develop efficient IDS. Artificial intelligence (AI) based techniques plays prominent role in development of IDS and has many benefits over other techniques. However, there is no comprehensive review of AI based techniques to examine and understand the current status of these techniques to solve the intrusion detection problems. In this paper, various AI based techniques have been reviewed focusing on development of IDS. Related studies have been compared by their source of audit data, processing criteria, technique used, dataset, classifier design, feature reduction technique employed and other experimental environment setup. Benefits and limitations of AI based techniques have been discussed. The paper will help the better understanding of different directions in which research has been done in the field of IDS. The findings of this paper provide useful insights into literature and are beneficial for those who are interested in applications of AI based techniques to IDS and related fields. The review also provides the future directions of the research in this area.  相似文献   

18.
针对网络入侵检测系统的攻击及防御   总被引:3,自引:0,他引:3  
Internet的使用越来越广泛,随之而来的网络安全已成为人们关注的焦点。入侵检测系统作为一种对付攻击的有效手段,已为越来越多的单位所采用。然而一旦攻击者发现目标网络中部署有入侵检测系统IDS,那么IDS往往成为他们首选的攻击目标。该文详细分析了针对网络IDS的几种攻击类型,即过载攻击、崩溃攻击和欺骗攻击,以及如何防御这些攻击,这对于IDS的设计具有一定的借鉴意义。  相似文献   

19.
In computer and network security, standard approaches to intrusion detection and response attempt to detect and prevent individual attacks. Intrusion Detection System (IDS) and intrusion prevention systems (IPS) are real-time software for risk assessment by monitoring for suspicious activity at the network and system layer. Software scanner allows network administrator to audit the network for vulnerabilities and thus securing potential holes before attackers take advantage of them.

In this paper we try to define the intruder, types of intruders, detection behaviors, detection approaches and detection techniques. This paper presents a structural approach to the IDS by introducing a classification of IDS. It presents important features, advantages and disadvantages of each detection approach and the corresponding detection techniques. Furthermore, this paper introduces the wireless intrusion protection systems.

The goal of this paper is to place some characteristics of good IDS and examine the positioning of intrusion prevention as part of an overall layered security strategy and a review of evaluation criteria for identifying and selecting IDS and IPS. With this, we hope to introduce a good characteristic in order to improve the capabilities for early detection of distributed attacks in the preliminary phases against infrastructure and take a full spectrum of manual and automatic response actions against the source of attacks.  相似文献   


20.
现代互联网络存在认知负担重、缺乏全局认知、交互性较差等安全问题。为此,利用可视化方法识别网络中的攻击和异常事件,并提出一种新型的入侵检测分析系统(IDs)——基于辐射状面板可视化技术的IDSView。根据现有可视化系统的不足,考虑用户接口与体验,采用颜色混合算法、多段拟合贝塞尔曲线算法、数据预处理及端口映射算法,降低图像的闭塞性,提高可扩展性及增强入侵识别与态势感知能力。应用结果表明,应用该方法分析人员可以直观地从宏观和微观2个层面感知网络安全状态,有效地识别网络攻击,辅助分析人员决策。  相似文献   

设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号