基于异常的终端级入侵检测

入侵检测技术作为计算机防护的主要技术手段, 因具有适应性强、能识别新型攻击的优点而被广泛研究, 然而识别率和误报率难以保证是该技术的主要瓶颈. 为了提升异常检测技术的识别率并降低误报率, 提出了一种终端级入侵检测算法(terminal-level intrusion detection algorithm, TL-IDA). 在数据预处理阶段把终端日志切割成连续的小块命令序列, 并引入统计学的常用指标为命令序列构建特征向量, 再使用TL-IDA算法通过特征向量对用户建模. 在此基础上, 还提出了一种滑动窗口判别法, 用于判断系统是否遭受攻击, 从而提升入侵检测算法的性能. 实验结果表明, TL-IDA算法的平均识别率和误报率分别达到了83%和15%, 优于同类的基于异常技术的终端级入侵检测算法ADMIT、隐马尔可夫模型法等.

Anomaly-based Terminal-level Intrusion Detection

As the main technical means of computer protection, intrusion detection technology has been widely studied due to its advantages of strong adaptability and ability to identify new types of attacks. However, the recognition rate and false alarm rate are difficult to guarantee, which is the main bottleneck of this technology. To improve the recognition rate and reduce the false alarm rate of anomaly detection technology, this study proposes a terminal-level intrusion detection algorithm (TL-IDA). In the data preprocessing stage, the terminal log is cut into continuous and small-block command sequences, and common statistical indicators are introduced to construct feature vectors for the command sequences. Then TL-IDA is applied to model users through the feature vectors. On this basis, a sliding window discrimination method is also proposed to judge whether the system is under attack, so as to improve the performance of the intrusion detection algorithm. The experimental results show that the average recognition rate and false alarm rate of the TL-IDA are 83% and 15%, respectively, which are superior to those of similar terminal-level intrusion detection algorithms based on anomaly technology such as ADMIT and hidden Markov model.