摘要
入侵检测是网络安全领域的研究热点,协议异常检测更是入侵检测领域的研究难点.提出一种新的基于隐Markov模型(HMM)的协议异常检测模型.这种方法对数据包的标志位进行量化,得到的数字序列作为HMM的输入,从而对网络的正常行为建模.该模型能够区分攻击和正常网络数据.模型的训练和检测使用DARPA1999年的数据集,实验结果验证了所建立模型的准确性,同现有的基于Markov链(Markov chain)的检测方法相比,提出的方法具有较高的检测率.
Protocol anomaly detection, a new technique of anomaly detection, has great research value. Its incorporation with hidden Markov model (HMM) is still in infancy. In order to investigate the capabilities of hidden Markov model in this area, a protocol anomaly detection model based on HMM is given in this work. Firstly, an overview of anomaly detection is presented with emphasis on the issues about protocol anomaly detection. Then, a novel protocol anomaly detection model based on HMM is proposed. This method filters incoming TCP traffic by destination ports and then quantizes network flags into decimal numbers. These numbers are classified into sequences which are used as inputs of HMMs by TCP connections. Detection models based on HMM representing normal network behaviors are trained by Baum-Welch method. Finally, the models' correctness and effectiveness is demonstrated by using forward method on MIT Lincoln Laboratory 1999 DARPA intrusion detection evaluation data set. Forward method is used here to compute the probability of a connection. Threshold K is designed to control detection rate. By comparing the probability with threshold K, this protocol anomaly detection model could find whether the traffic is normal or containing some sort of anomaly. Experimental results show that the model based on HMM has higher detection rates on attacks than the Markov chain detection method.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2010年第4期621-627,共7页
Journal of Computer Research and Development
基金
国家自然科学基金项目(60442002)
北京交通大学校科技基金项目(2006XM007)~~
