摘要
网络异常检测技术是入侵检测领域研究的热点内容,但由于存在着误报率较高、检测攻击范围不够全面、检测效率不能满足高速网络实时检测需求等问题,并未在实际环境中得以大规模应用.基于D-S证据理论,提出了一种网络异常检测方法,能够融合多个特征对网络流量进行综合评判,有效地降低了误报率和漏报率,并引入自适应机制,以保证在实时动态变化的网络中的检测准确度.另外,选取计算代价小的特征以及高效的融合规则,保证了算法的性能满足高速检测的要求.该方法已实现为网络入侵检测原型系统中的异常检测模块.通过DARPA1999年IDS基准评测数据的实验评测表明,该方法在低误报率的前提下,达到了69%的良好检测率,这一结果优于DARPA1999年入侵检测系统评测优胜者EMERALD的50%检测率和同期的一些相关研究成果.
Network anomaly detection has been an active research topic in the field of Intrusion Detection for many years, however, it hasn't been widely applied in practice due to some issues. The issues include high false alarm rate, limited types of attacks the approach can detect, and that such approach can't perform real -time intrusion detection in high speed networks. This paper presents a network anomaly detector based on Dempster -Sharer (D-S) evidence theory. The detector fuses multiple features of network traffic to decide whether the network flow is normal, and by such fusion it achieves low false alarm rate and missing rate. It also incorporates some self -adaptation mechanisms to yield high accuracy of detection in dynamic networks. Furthermore, light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm. On the 1999 DARPA/Lincoln Laboratory intrusion detection evaluation data set, this detector detects 69% attacks at low false alarm rate. Such result is better than the 50% detection rate of EMERALD --the winner of 1999 DARPA/Lincoln Laboratory intrusion detection evaluation, and results from other research projects.
出处
《软件学报》
EI
CSCD
北大核心
2006年第3期463-471,共9页
Journal of Software
基金
国家"十五"科技攻关计划
微软学者计划
IBM 博士生英才计划~~
关键词
入侵检测
异常检测
D-S理论
证据理论
数据融合
intrusion detection
anomaly detection
D-S theory
evidence theory
data fusion
