高速网络中入侵检测的抽样方法

提出了一个面向主干网入侵检测,以内存瓶颈消耗量为测度的动态自适应抽样方法IDSampling.通过分析攻击流量的流长和熵聚类信息特征指导抽样,过滤掉攻击可疑性低的报文,采取"节流"方法解决万兆网络入侵检测存在的性能和精度不平衡问题.在大规模异常发生时采用基于单报文属性熵的单一抽样策略,其他情况下采用带反馈指导的混合抽样策略,试图用尽可能小的检测代价来取得同样的检测效果.实验结果表明①IDSampling可以大幅减低IDS处理输入,同时保证对主干网人规模攻击趋势性信息的检测精度;②相较于随机报文抽样和随机流抽样方法,IDSampling凭借流长、熵聚类信息和后期检测结果等启发式信息的指导,其抽取攻击报文的准确性高于前2种方法,尤其是在大规模、高强度攻击情况下IDSampling抽中攻击报文的数目甚至高于其他2种方法一个数量级.

Sampling method for IDS in high bandwidth network

A novel sampling method, IDSampling, was developed to solve the performance unbalance problem that IDS could not scale well in G+bit/s link, which was adaptive with the consumption of the memory bottleneck. With the help of the heuristic messages, such as the entropy of the single-packet flow and the flow length, IDSampling applied the simple sampling strategy based on the entropy of the single-packet flow when the large-scale anomaly occurred, or another complicated one instructed by the feedback of the rear detection results by default. In both cases IDSampling tried to guarantee the equal security with detection cost as low as it could. The results of experiment show that ①IDSampling keeps IDS effective by cutting off its load significantly when it is overloaded, at the same time it can guarantee the detection accuracy of the large-scale attack; ②Comparing with the other two overwhelming sampling methods, the random packet sampling and the random flow sampling, the number of attack packets sampled by IDSampling is higher than that of the former two, the number outweighs the former two one order of magnitude especially in the large-scale anomaly case.