摘要
目前的入侵检测技术本身存在着缺陷,比如特征检测中规则库不完备,异常检测模型中模型与实际攻击不完全符合等。由这些缺陷而导致的误报和漏报是制约其发展的重要瓶颈。Honeypot/net是一种新的安全技术,通过部署蜜罐收集攻击信息,再把这些信息加以整理传送给IDS,可以弥补入侵检测技术的一些缺点,从而降低IDS的误报率和漏报率。分析了这一设想的可行性,并提出了设计方案。此方案中包括一个Honeynet Software,它联系Honeynet控制台和NIDS控制台,完成其中提取新模式、传递攻击信息等功能。并利用DARPA(1999)数据集对系统进行了评测,结果表明其在DOS、PROBE、U2R及U2L几个类型攻击方面与其他NIDS相比有着较低的误报率;通过对几个检测实例的分析,说明了这一系统在检测新型攻击、加密后的攻击、DDoS方面比原NIDS有较大的优势。
There are inherent drawbacks in IDS. False negative and False positive are choke points that cumber the development of IDS. Honeypot is a new technology that can effectively enhance IDS' adaptation to new attacks. The feasibility that IDS collaborates with IDS to detect new attacks is analyzed, and a novel system architecture for honeynet to assist IOS to decrease its rate of False negative and False positive is presented. Free softwares are used to evaluate the total system with DARPA (1999) datasets. Experimental results show that this system has lower false alarm rate in DOS, PROBE, U2R and U2L attacks than other NIDS ,and it has special advantage over other NIDS in the aspects of new attack detection, DDoS attack and encrypted attack detection.
出处
《计算机应用与软件》
CSCD
北大核心
2008年第4期265-268,共4页
Computer Applications and Software
