摘要
An intrusion detection (ID) model is proposed based on the fuzzy data mining method. A major difficulty of anomaly ID is that patterns of the normal behavior change with time. In addition, an actual intrusion with a small deviation may match normal patterns. So the intrusion behavior cannot be detected by the detection system.To solve the problem, fuzzy data mining technique is utilized to extract patterns representing the normal behavior of a network. A set of fuzzy association rules mined from the network data are shown as a model of “normal behaviors”. To detect anomalous behaviors, fuzzy association rules are generated from new audit data and the similarity with sets mined from “normal” data is computed. If the similarity values are lower than a threshold value,an alarm is given. Furthermore, genetic algorithms are used to adjust the fuzzy membership functions and to select an appropriate set of features.
提出了一个基于模糊数据挖掘的入侵模型。异常检测的一个主要问题是正常模式随时间变化。如果一个实际的入侵行为稍有偏差就有可能与正常的模式相匹配,而异常检测系统则无法检测到这种入侵行为。为解决这个问题,本文利用模糊数据挖掘技术建立正常模式,并用一组模糊关联规则表示。在进行异常检测时,利用新的审计数据挖掘当前模糊关联规则,并计算其与正常模式的相似度,如相似度低于规定的阈值,使其产生入侵警报。最后,文中利用遗传算法优化模糊成员函数来选择其参数。
基金
国家"九七三"计划(G1999032701)资助项目。~~
