基于数据流的网络入侵实时检测框架

Real-time detection framework for network intrusion based on data stream

针对计算机网络访问请求具有实时到达以及动态变化的特点,为了实时检测网络入侵,并且适应网络访问数据的动态变化,提出一个基于数据流的网络入侵实时检测框架。首先,将误用检测模式与异常检测模式相结合,通过初始聚类建立由正常模式和异常模式构成的知识库;其次,采用数据点与数据簇之间的不相似性来度量网络访问数据与正常模式和异常模式的相似性,从而判定网络访问数据的合法性;最后,当网络访问数据流发生演化时,通过重新聚类来更新知识库以反映网络访问的最近状态。在入侵检测数据集KDDCup99上进行实验,当初始聚类的样本数为10 000,缓冲区聚类的样本数为10 000,调节系数为0.9时,召回率达到91.92%,误报率达到0.58%,接近传统非实时检测模式的结果,但整个学习和检测过程只需扫描网络访问数据一次,并引入了知识库的更新机制,在入侵检测的实时性和适应性方面更具有优势。

The access request for computer network has the characteristics of real-time and dynamic change. In order to detect network intrusion in real time and be adapted to the dynamic change of network access data, a real-time detection framework for network intrusion was proposed based on data stream. First of all, misuse detection model and anomaly detection model were combined. A knowledge base was established by the initial clustering which was made up of normal patterns and abnormal patterns. Secondly, the similarity between network access data and normal pattern and abnormal pattern was measured using the dissimilarity between data point and data cluster, and the legitimacy of network access data was determined. Finally, when network access data stream evolved, the knowledge base was updated by reclustering to reflect the state of network access. Experiments on intrusion detection dataset KDDCup99 show that, when initial clustering samples are 10000, clustering samples in buffer are I0000, adjustment coefficient is 0. 9, the proposed framework achieves a recall rate of 91.92% and a false positive rate of 0. 58%. It approaches the result of the traditional non-real-time detection model, but the whole process of learning and detection only scans network access data once. With the introduction of knowledge base update mechanism, the proposed framework is more advantageous in the real-time performance and adaptability of intrusion detection.