摘要
误用入侵检测系统的检测能力在很大程度上取决于攻击特征的数量和质量.该文提出一种基于多序列联配的攻击特征自动提取方法:首先将可疑的网络数据流转化为序列加入到可疑数据池中;通过聚类将这些序列分为若干类别;最后利用该文提出的多序列联配算法对同一类中的序列进行联配,并以产生的结果代表一类攻击的特征.该方法的核心是该文提出的两种序列联配算法:奖励相邻匹配的全局联配算法CMENW(Contiguous-Matches Encouraging Needleman-Wunsch)和层次式多序列联配算法HMSA(Hierarchical Multi-Sequence Align-ment).CMENW算法克服了Needleman-Wunsch算法易产生碎片的问题,使得连续的特征片段能够尽量地予以保留;HMSA算法以层次式策略对多序列进行联配,支持通配符,并带有剪枝功能.该方法可以自动地提取包括变形病毒和缓冲区溢出在内的新攻击的特征,其主要优点是:(1)产生的攻击特征包含位置相关信息,因而相对传统的方法结果更加准确;(2)具有良好的抗噪能力.
The detection capability of misuse IDS is dependent on the number and quality of attack signatures. This paper presents an attack signatures automatic generation approach, based on multi-sequence alignment: The suspicious flows are transferred into sequences and added to a suspicious traffic pool; with clustering, these sequences are divided into several clusters; by exploiting the proposed sequence alignment algorithms, the sequences from certain cluster are aligned and one signature that represents one type of attack is generated. The point of the approach is a global alignment algorithm-CMENW (Contiguous-Matches Encouraging Needleman- Wunsch) and a multi-sequence alignment algorithm-HMSA (Hierarchical Multi-Sequence Alignment). By encouraging contiguous bytes to be aligned together, CMENW reduces the influence of fragments in the process of alignment; HMSA algorithm is characterized by wildcard characters supporting and pruning function. The main advantages of the authors' approach are. (1) The generated signatures consist of position information which is reserved during alignments; (2) Have robustness against noises.
出处
《计算机学报》
EI
CSCD
北大核心
2006年第9期1533-1541,共9页
Chinese Journal of Computers
基金
国家自然科学基金(60573136)
国家"八六三"高技术研究发展计划项目基金(2005AA121570)
现代通信国家重点实验室基金(51436050605KG0102)资助.
关键词
攻击特征提取
入侵检测
序列联配
变形蠕虫
缓冲区溢出攻击
attack signatures generation
intrusion detection
sequence alignment
polymorphic worms
buffer overflow
