摘要
利用机器学习算法,如SVM、神经网络等,进行入侵检测已取得很大进展,但检测结果难于理解的问题已影响到这些检测算法的广泛使用.文章在对已知的关联算法进行比较分析的基础上,提出了一种针对入侵检测结果的实时规则在线生成方法,以提高对检测结果的理解,降低入侵所带来的损失.在定义局部支持度、全局可信度、CI-Tree和IX-Tree树结构的基础上,设计了直接产生仅与当前发生的攻击相关的规则集的规则生成算法.该方法解决了当前主流关联规则生成算法应用到入侵检测结果集的过程中所存在的多遍扫描(至少两遍)、攻击数据的非均衡分布所带来的大量无效规则的产生和两阶段规则生成方法使得在第一阶段产生了众多与最后生成的规则集无关的频繁集等问题.经过实验表明,文中所提出的方法在规则生成和时间效率方面都显示出了良好的性能.
Progress has been made in using machine learning techniques such as SVM and neural networks for intrusion detection, but the non-understandable detection results have prevented those algorithms from being thoroughly utilized. In this paper, the authors put forward a novel huge-data oriented method, which was based on the popular association rules extraction algorithm and targeted at the result of intrusion detection, to build real-time rules for enhancing the understanding of detection results and therefore decrease possible loss. The algorithm, by introducing local support, global confidence, CI-Tree and IX-Tree structure, employed these tree structures to build online rules for currently active intrusion. This algorithm solved a number of problems that exist in applying association rules algorithm to intrusion detection. (1)multi-scan (twice at least); (2)mass useless rules due to unbalanced distribution of attacking data; (3)unwanted frequent set produced in the old two-phase rule-building method. Experimental results have demonstrated the method's good performance in both rule building efficacy and time efficiency.
出处
《计算机学报》
EI
CSCD
北大核心
2006年第9期1523-1532,共10页
Chinese Journal of Computers
基金
江苏省自然科学基金(BK2002073
60373064)
国家"八六三"高技术研究发展计划项目基金(2003AA142010)资助
关键词
规则生成
入侵检测
关联规则
分类规则
rule generation
intrusion detection
association rules
classification rules
