摘要
为了提高入侵检测率,降低误检率,提出了一种基于状态协议分析技术的扩展有穷状态自动机(EFSA)入侵检测模型,该模型通过构建一个EFSA来描述攻击的状态转移和变化,EFSA模型可用一个六元组表示,即M=(P,Q,Σ,W,q0,F)。通过建立该模型,一方面将接受到的数据包映射为协议状态的转换从而建立有穷状态自动机,根据被检测数据是否被自动机接受来判断攻击的存在。另一方面将待检测数据按协议分流,从而提升检测精度,减小模式匹配计算量,提高检测率。实验选取KDD CUP99做测试数据集,经测试结果表明基于EFSA模型的入侵检测方法较之基于五元组自动机检测模型具有更好的检测率和更低的误检率。
In order to improve intrusion detection rate and reduce false positives rate, an extended finite state automata (EFSA) in- trusion detection model is proposed, which is based on state protocol analysis technology.This model is constructed by a EFSA to describe attack state transition and change, and EFSA model can be used a six tuple that said, M= (P, Q,∑,W, q0,F). Through the establishment of the model, on the one hand, it will receive the data packet mapping for the conversion of protocol state in order to establish the finite state automata, according to the detected data is accepted by the automaton to judge the existence of an at- tack. On the other hand, the data to be detected according to the protocol of shunt, so as to enhance the detection accuracy, re- duce the pattern matching calculation amount, and improve the detection rate. The experiment selected KDD CUP99 test data sets,and the test results show that the method of Intrusion Detection Based on EFSA model comparing with five tuple automaton detection model has a better detection rate and lower false positives rate.
作者
吴冬惠
杨印根
李成林
吴菲
WU Dong-hui,YANG Yin-gen,LI Cheng-lin,XVU Fei (College of computer information engineering, Jiangxi Normal University, Nanchang 330022, China)
出处
《电脑知识与技术》
2015年第1期38-41,50,共4页
Computer Knowledge and Technology
关键词
EFSA模型
状态协议分析
模式匹配
误检率
EFSA model
State protocol analysis
Pattern matching
False positives rate
