基于孤立点检测的自适应入侵检测技术研究

传统的入侵检测技术主要是从已知攻击数据中提取出每种具体攻击的特征规则模式,然后使用这些规则模式来进行匹配。然而基于规则的入侵检测的主要问题是现有的规则模式并不能有效应对持续变化的新型入侵攻击。针对这一问题,基于数据挖掘的入侵检测方法成为了入侵检测技术新的研究热点。本文提出了一种基于孤立点挖掘的自适应入侵检测框架,首先,基于相似系数寻找孤立点,然后对孤立点集合进行聚类,并使用改进的关联规则算法来从孤立点聚类结果中提取出各类入侵活动的潜在特征模式,然后生成可使用的匹配规则模式来添加到现有的规则模式中去,进而达到自适应的目的。本文使用KDD99的UCI数据集进行孤立点挖掘,然后使用IDS Snort的作为实验平台,使用IDS Informer模拟攻击工具进行测试,这两个实验结果表明了本文所提出算法的有效性。

Research of outlier detection based adaptive intrusion detection techniques

Most traditional techniques in intrusion detection are mining the rule patterns of each attacks＇ features from the data we have known, then match the new data with these rules. However, the main problem of rule based intrusion detection techniques is that the current rule patterns can not effectively manage the new continuously changing intrusion detection attacks. To deal with the problem, data mining based intrusion detection methods have been the hot fields in intrusion detection research. An outlier detection based adaptive intrusion detection framework is proposed in this paper. In the proposed framework, the outliers are firstly detected by similarity coefficient. And then, the clusters are built on the detected outlier data set and the improved association rule algorithm is employed on the clusters. Finally, the rules generated by association rule algorithm will be adaptively added into the current intrusion detection rule base. The experiment platform was based on IDS Snort and IDS Informer was employed to simulate the attack and test. The experiments performed on simulated data and KDD99 from UCI data set have shown the effectiveness of proposed methods.