入侵检测中的归纳学习方法

Inductive Learning in Intrusion Detection

结合使用着色Petri网和EDL语言描述攻击模型,该文给出了使用归纳学习对攻击模型进行泛化和特化操作,泛化后的模型可以检测出与已知攻击实例类似的未知攻击行为,实现了攻击知识库进行自动更新和扩展的方法。攻击实例首先使用EDL语言表述为一个攻击实例模型,对实例模型进行泛化得到攻击实例的3层概念空间,进而转化为着色Petri网模型,利用着色Petri网的运行机制对攻击行为进行检测。实验结果表明该方法对于具有相似攻击行为的未知攻击的检测非常有效。

This paper proposes the method for generalization and specialization of attack pattern using inductive learning, which can be used updating and expanding knowledge database. The attack pattern is established from an example by using the colored Petri net and EDL, after generalization it can be used to detect unknown attacks whose behavior are similar to the example. In practice the attack pattern first described by EDL from an example, then the pattern is generalized thus the concept spaces of attack are given and they can be transformed to Colored Petri net, when detection searches the intrusion from the top down by virtue of the concept space of the attack pattern. In fact the concept space of pattern indicates a depth-first search way.