摘要
为解决攻击证据保持及多检测引擎的负载均衡问题,提出基于攻击分类的高性能并行入侵检测方法,将入侵检测系统分为单连接攻击检测和多连接攻击检测两个子系统。前者采用多检测引擎,由负载均衡模块将流量按照传输层协议分类,以会话或五元组为单位,将流量调度至不同检测引擎并行检测,识别单连接攻击行为;后者采用单检测引擎,快速扫描报文首部,识别多连接攻击行为。实验结果表明,在高速网络环境下,相比其他并行入侵检测方法,所提方法的检测性能更优,其F-Measure值显著提升,检测时延和丢包率也有一定降低。
In order to keep attack evidence and balance the load among multi detection engines,the high-performance parallel intrusion detection method based on attack classifications is proposed.The intrusion detection system was divided into two subsystems,which were used for detecting one-connection attacks and multi-connection attacks.Multi detection engines were used in the former,in which the traffic was classified according to transport layer protocols by load balance module,and the classified traffic was scheduled in sessions or five-tuple arrays to different detection engines for parallel detection,which could discern the one-connection attacks.Single detection engine was used in the latter,which could discern the multi-attack actions rapidly through scanning the packet headers.The experimental results show that compared with other parallel intrusion detection methods,the proposed method has better detection performance in high-speed network.It not only enhances the F-Measure value significantly,but also reduces the detection delay and packet loss rate to some extent.
作者
梁本来
朱磊
Liang Benlai;Zhu Lei(College of Information Engineering,Zhongshan Polytechnic,Zhongshan 528404,Guangdong,China;College of Computer Science and Engineering,Xi an University of Technology,Xi an 710048,Shaanxi,China)
出处
《计算机应用与软件》
北大核心
2023年第6期288-294,302,共8页
Computer Applications and Software
基金
国家自然科学基金项目(61602374)
广东省普通高校特色创新项目(2021KTSCX309)
中山职业技术学院青年科研骨干项目(2019GG05)。
关键词
入侵检测
并行检测
攻击分类
攻击证据
负载均衡
流量调度
Intrusion detection
Parallel detectionAttack classifications
Attack evidence
Load balance
Traffic scheduling
