基于粗糙集理论的入侵检测新方法

提出了一种高效低负荷的异常检测方法，用于监控进程的非正常行为，该方法借助于粗糙集理论从进程正常运行情况下产生的系统调用序列中提取出一个简单的预测规则模型，能有效地检测了进程的异常运行状态，同其它方法相比，用粗糙集建立正常模型要求的训练数据获取简单，而且得到的模型更适用于在线检测，实验结果表明，该方法的检测效果优于同类的其它方法。

A New Approach to Intrusion Detection Based on Rough Set Theory

Intrusion detection is important in the defense in depth network security framework and a hot topic in computer network security in recent years. In this paper, an effective method for anomaly intrusion detection with low overhead and high efficiency is presented and applied to monitor the abnormal behavior of processes. The method is based on rough set theory and capable of extracting a set of detection rules with the minimum size to form a normal behavior model from the record of system call sequences generated during the normal execution of a process. It will detect the abnormal operating status of a process and thus report a possible intrusion. The normal behavior model in terms of the sequences of system calls is first defined and how to apply the rough set theory as a powerful data mining tool to establish the model is discussed by examples. The anomaly detection algorithm based on rough set theory is given in the paper. Compared with other methods, this method requires a smaller size of training data set, less efforts to collect training data and more suitable for real time detection. Experimental results show that this method is better than other methods reported in the literature in terms of detection resolution, required training data set and implementation for real time detection.