摘要
异常入侵检测系统在训练阶段建立对象的正常行为模型,在测试阶段把它与对象的行为进行比较,如果出现了大于给定域值的偏差,就认为发生了入侵.通常建立对象正常行为模型的方法是用没有入侵的数据训练系统.这种方法存在实用性和可靠性方面的缺陷人工合成的训练数据基本可以保证没有攻击,但它与入侵检测系统将要实际工作的环境有很大的差别;而从实际使用环境提取的训练数据又不能保证不含有攻击.本文提出了一种基于网络的非纯净训练数据的异常入侵检测方法ADNTD(Anomaly Detection for Noisy Training Data),它通过过滤训练数据中的低概率特征域的方法过滤掉训练数据中的攻击数据并建立网络的正常行为模型,以保证即使训练数据含有攻击的情况下仍能取得较好的检测效果.实验结果显示在训练数据含有攻击时,ADNTD的性能明显好于以前的系统;在采用纯净数据训练时,ADNTD也具有与以前的系统相当的性能;ADNTD用带有攻击的数据训练的情况下仍能达到以前的同类系统用纯净数据训练相同的检测性能.
Generally, in anomaly detection, Object's normal behavior model is built from training data without intrusions. But this kind of training data is not easy to get: First, if the data is produced by synthesis, it will be different from real data of target environment; if the data is obtained from target environment, it is difficult to ensure the data does not contain intrusions. In this paper, by exploiting the different probability distributions of intrusion and normal traffic in training data, a new network-based anomaly intrusion detection method is proposed. Compared with previous schemes, empirical experiments showing that with training data containing intrusions, the proposed method has higher detection rates. At the same time, for clean training data, the proposed method shows compared performance with previous schemes.
出处
《小型微型计算机系统》
CSCD
北大核心
2006年第3期437-441,共5页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(60373088)资助
国防研究基金项目(4131605)资助.
关键词
非纯净训练数据
入侵检测
异常检测
网络安全
noisy training data
intrusion detection
anomaly detection
network security
