Detecting network intrusions by data mining and variable-length sequence pattern matching 被引量：2

Detecting network intrusions by data mining and variable-length sequence pattern matching

下载PDF

导出

摘要 Anomaly detection has been an active research topic in the field of network intrusion detection for many years. A novel method is presented for anomaly detection based on system calls into the kernels of Unix or Linux systems. The method uses the data mining technique to model the normal behavior of a privileged program and uses a variable-length pattern matching algorithm to perform the comparison of the current behavior and historic normal behavior, which is more suitable for this problem than the fixed-length pattern matching algorithm proposed by Forrest et al. At the detection stage, the particularity of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy and is especially applicable for on-line detection. The performance of the method is evaluated using the typical testing data set, and the results show that it is significantly better than the anomaly detection method based on hidden Markov models proposed by Yan et al. and the method based on fixed-length patterns proposed by Forrest and Hofmeyr. The novel method has been applied to practical hosted-based intrusion detection systems and achieved high detection performance. Anomaly detection has been an active research topic in the field of network intrusion detection for many years. A novel method is presented for anomaly detection based on system calls into the kernels of Unix or Linux systems. The method uses the data mining technique to model the normal behavior of a privileged program and uses a variable-length pattern matching algorithm to perform the comparison of the current behavior and historic normal behavior, which is more suitable for this problem than the fixed-length pattern matching algorithm proposed by Forrest et al. At the detection stage, the particularity of the audit data is taken into account, and two alternative schemes could be used to distinguish between normalities and intrusions. The method gives attention to both computational efficiency and detection accuracy and is especially applicable for on-line detection. The performance of the method is evaluated using the typical testing data set, and the results show that it is significantly better than the anomaly detection method based on hidden Markov models proposed by Yan et al. and the method based on fixed-length patterns proposed by Forrest and Hofmeyr. The novel method has been applied to practical hosted-based intrusion detection systems and achieved high detection performance.

作者 Tian Xinguang Duan Miyi Sun Chunlai Liu Xin

机构地区 Inst. of Computing Technology Inst. of Computing Technology

出处《Journal of Systems Engineering and Electronics》 SCIE EI CSCD 2009年第2期405-411,共7页 系统工程与电子技术（英文版）

基金 supported by the National Grand Fundamental Research "973" Program of China (2004CB318109) the National High-Technology Research and Development Plan of China (2006AA01Z452) the National Information Security "242"Program of China (2005C39).

关键词 intrusion detection anomaly detection system call data mining variable-length pattern intrusion detection, anomaly detection, system call, data mining, variable-length pattern

分类号 TP393.08 [自动化与计算机技术—计算机应用技术] TP311.56 [自动化与计算机技术—计算机软件与理论]

引文网络
相关文献

参考文献4

1TIAN Xin-guang,GAO Li-zhi,SUN Chun-lai,DUAN Mi-yi,ZHANG Er-yang.A Method for Anomaly Detection of User Behaviors Based on Machine Learning[J].The Journal of China Universities of Posts and Telecommunications,2006,13(2):61-65. 被引量：4
2连一峰,戴英侠,王航.基于模式挖掘的用户行为异常检测[J].计算机学报,2002,25(3):325-330. 被引量：84
3YANG Geng,RONG Chun-ming,PENG Lei.A Novel Approach for Redirecting Module in Honeypot Systems[J].The Journal of China Universities of Posts and Telecommunications,2005,12(3):58-62. 被引量：2
4田新广,高立志,张尔扬.新的基于机器学习的入侵检测方法[J].通信学报,2006,27(6):108-114. 被引量：15

二级参考文献19

1杨武,方滨兴,云晓春,张宏莉,胡铭曾.一种高性能分布式入侵检测系统的研究与实现[J].北京邮电大学学报,2004,27(4):83-86. 被引量：14
2YANG Geng,RONG Chun-ming,PENG Lei.A Novel Approach for Redirecting Module in Honeypot Systems[J].The Journal of China Universities of Posts and Telecommunications,2005,12(3):58-62. 被引量：2
3[1]Lee Wenke, Stolfo S J. Data mining approaches for intrusion detection. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
4[2]Lee Wenke, Stolfo S J, Mok K W. A data mining framework for building intrusion detection models. In: Proc the 1999 IEEE Symposium on Security and Privacy, Berkely, California, 1999. 120-132
5[3]Lee Wenke. A data mining framework for constructing features and models for intrusion detection systems[Ph D dissertation]. Columbia University, 1999
6[4]Paxson Vern. Bro: A system for detecting network intruders in real-time. In: Proc the 7th USENIX Security Symposium, San Antonio, TX, 1998
7[5]Agrawal Rakesh, Srikant Ramakrishnan. Fast algorithms for mining association rules. In: Proc the 20th International Conference on Very Large Databases, Santiago, Chile, 1994
8[6]Agrawal Rakesh, Srikant Ramakrishnan. Mining sequential patterns. IBM Almaden Research Center, San Jose, California:Research Report RJ 9910, 1994
9[7]Chen M, Han J, Yu P. Data mining: An overview from database perspective. IEEE Trans Knowledge and Data Engineeing, 1996,8(6):866-883
10LANE T.Machine Learning Techniques for the Computer Security Domain of Anomaly Detection[D].Purdue University,2000.

共引文献96

1刘玉葆,蔡嘉荣,印鉴,黄志兰.基于最大访问模式挖掘的数据库异常行为检测[J].计算机研究与发展,2006,43(z3):271-275.
2赵军民,张芳芳.入侵检测系统研究[J].光盘技术,2008(1):33-35.
3陈雅娴,袁津生,郭敏哲.基于行为异常的Symbian蠕虫病毒检测方法[J].计算机系统应用,2008,17(11):49-52. 被引量：5
4胡笑蕾,胡华平,宋世杰.数据挖掘算法在入侵检测系统中的应用[J].计算机应用研究,2004,21(7):88-90. 被引量：7
5马传香,李庆华,蒋盛益.基于异常检测的模糊行为序列挖掘算法研究[J].计算机应用研究,2005,22(1):44-46.
6连一峰.分布式入侵检测系统的协作交互研究[J].中国科学院研究生院学报,2005,22(2):202-209. 被引量：4
7谢沙天,方跃春.高密度海量存储器的现实探讨[J].中国科技信息,2005(5):77-77.
8杨天奇.一种基于反馈神经网络的异常检测方法[J].计算机应用,2005,25(4):844-845. 被引量：1
9张巍.基于数据挖掘技术的智能化入侵检测模型[J].计算机工程,2005,31(8):134-136. 被引量：2
10罗芳,蒲秋梅.关联规则在移动通信行业中的应用[J].武汉理工大学学报（信息与管理工程版）,2005,27(2):174-177. 被引量：1

同被引文献10

1马占欣,王新社,黄维通,陆玉昌.对最小置信度门限的置疑[J].计算机科学,2007,34(6):216-218. 被引量：5
2张一嘉.局域网链路层数据帧识别算法的设计与实现[J].通信对抗,2007(4):41-44. 被引量：12
3刘兴彬,杨建华,谢高岗,胡玥.基于Apriori算法的流量识别特征自动提取方法[J].通信学报,2008,29(12):51-59. 被引量：39
4裴颂文,吴百锋.动态自适应特征权重的多类文本分类算法研究[J].计算机应用研究,2011,28(11):4092-4096. 被引量：9
5白彧,杨晓静,张玉.基于高阶统计处理技术的m-序列帧同步码识别[J].电子与信息学报,2012,34(1):33-37. 被引量：24
6王祥斌.数据挖掘技术在入侵检测系统中的应用研究[J].计算机测量与控制,2012,20(2):321-323. 被引量：11
7Jiang-Hui Cai,Xu-Jun Zhao,Shi-Wei Sun,Ji-Fu Zhang,Hai-Feng Yang.Stellar spectra association rule mining method based on the weighted frequent pattern tree[J].Research in Astronomy and Astrophysics,2013,13(3):334-342. 被引量：4
8张昆朋,甘文丽,李元臣.Master-Worker模式的并行关联规则挖掘算法[J].计算机测量与控制,2013,21(4):1008-1010. 被引量：2
9张文博,姬红兵,王磊.一种自适应权值的多特征融合分类方法[J].系统工程与电子技术,2013,35(6):1133-1137. 被引量：11
10Vijay Naidu,Jacqueline Whalley,Ajit Narayanan.Exploring the Effects of Gap-Penalties in Sequence-Alignment Approach to Polymorphic Virus Detection[J].Journal of Information Security,2017,8(4):296-327. 被引量：1

引证文献2

1琚玉建,谢绍斌,张薇.基于自适应权值的数据报指纹特征识别与发现[J].计算机测量与控制,2014,22(7):2288-2290. 被引量：8
2Vijay Naidu,Jacqueline Whalley,Ajit Narayanan.Generating Rule-Based Signatures for Detecting Polymorphic Variants Using Data Mining and Sequence Alignment Approaches[J].Journal of Information Security,2018,9(4):265-298.

二级引证文献8

1常峰,贺元骅.基于Auto Encoder的智能监控指纹识别系统[J].中国测试,2015,41(8):71-74.
2雷东,王韬,赵建鹏,马云飞.面向比特流的未知协议识别与分析技术综述[J].计算机应用研究,2016,33(11):3206-3210. 被引量：4
3雷东,王韬,王晓晗,马云飞.基于前导码挖掘的未知协议帧切分算法[J].计算机应用,2017,37(2):440-444. 被引量：2
4金石,王攀.家庭WiFi下手机号码特征自动提取方法[J].电信快报（网络与通信）,2017(4):31-36.
5曹成宏,雷迎科.面向比特流的链路层未知帧分析技术综述[J].小型微型计算机系统,2018,39(2):297-303. 被引量：3
6黄学波,徐正国,燕继坤.基于Simhash的协议数据高频相似序列提取算法[J].计算机工程与应用,2020,56(16):199-203. 被引量：2
7张永旺,欧振国,彭强,黄博伟,舒晔,邓珊,刘海斌.10kV高压互感器的接入及自动化检定方法[J].信息技术,2021,45(5):44-50.
8刘岩,袁瑞铭,郑思达,杨晓坤,王玉君.应用DBN深度学习算法的电能计量反窃电技术研究[J].计算技术与自动化,2021,40(4):151-155. 被引量：6

1SONG Tian,WANG DongSheng,TANG ZhiZhong.A parameterized multilevel pattern matching architecture on FPGAs for network intrusion detection and prevention[J].Science in China(Series F),2009,52(6):949-963. 被引量：1
2Saravanan Subramanian,Vijay Bhanu Srinivasan,Chandrasekaran Ramasamy.Study on Classification Algorithms for Network Intrusion Systems[J].通讯和计算机（中英文版）,2012,9(11):1242-1246. 被引量：5
3Youxi WU,Cong SHEN,He JIANG,Xindong WU.Strict pattern matching under non-overlapping condition[J].Science China(Information Sciences),2017,60(1):1-16. 被引量：4
4Yi Junkai Tang Shuo Li Hui.Data Recovery Based on Intelligent Pattern Matching[J].China Communications,2010,7(6):107-111. 被引量：1
5陶智.NIPS的五“指”理论[J].软件世界,2007(19):63-64.
6陶智.网络入侵防御系统的五“指”理论[J].计算机安全,2006(9):46-47.
7陶智.五“指”要素评判NIPS[J].网管员世界,2006(8):119-121.
8卢永菁,王东.基于GPU的高速网络入侵检测系统设计[J].计算机工程与应用,2011,47(33):78-81. 被引量：1
9吴信东,强继朋,谢飞.Pattern Matching with Flexible Wildcards[J].Journal of Computer Science & Technology,2014,29(5):740-750. 被引量：1
10刘孙俊,王电刚,杨频,张建华.基于免疫多智能体的网络入侵主动防御模型[J].武汉大学学报（信息科学版）,2008,33(10):1055-1058. 被引量：5

Journal of Systems Engineering and Electronics

2009年第2期

浏览历史

内容加载中请稍等...