本文選題：入侵檢測 + Snort��； 參考：《河北科技大學》2014年碩士論文

【摘要】：入侵檢測可以分為誤用檢測和異常檢測,Snort系統(tǒng)作為典型的誤用入侵檢測系統(tǒng)采用特征匹配的網(wǎng)絡入侵檢測系統(tǒng),具有開放源代碼和采用插件機制的特征。Snort采用的入侵特征匹配方法為較低層次的網(wǎng)絡數(shù)據(jù)包特征碼匹配,這種描述入侵特征方式比較復雜,不容易理解。入侵檢測數(shù)據(jù)集KDD99的屬性集對各種入侵特征進行了比較好的抽象概括,利用KDD99數(shù)據(jù)集的屬性集進行入侵檢測具有更好的可理解性,更簡潔,效率更高,能更準確的檢測到各種入侵類型。本研究通過對入侵和特征屬性進行分類分析并對屬性集的各個屬性計算信息增益,按信息增益由大到小排序,選擇信息增益較大的部分屬性進行改進的Snort系統(tǒng)入侵檢測。Snort系統(tǒng)具有誤用入侵檢測系統(tǒng)所具有的較高的檢測效率優(yōu)點,但也存在無法檢測出未知入侵類型的弱點。本研究設計了一種簡單的基于偏差的離群點檢測方法,并將之應用在Snort系統(tǒng)中,使改進的Snort系統(tǒng)具有了對未定義入侵特征的入侵類型的檢測能力。本研究在Snort系統(tǒng)的檢測流程的基礎上設計了一種新的入侵檢測流程,合理的劃分離線檢測部分與在線檢測部分,將Snort系統(tǒng)所采用的特征碼匹配方式作為在線檢測部分,將設計的離群點檢測方法作為離線檢測部分,保證了在增強入侵檢測檢測效果的同時不降低Snort系統(tǒng)的檢測效率。最后通過實驗驗證了設計的基于偏差的離群點檢測方法應用在入侵檢測系統(tǒng)中能有效的檢測到未定義入侵特征的入侵類型,可以將之應用在對Snort系統(tǒng)的改進以增強Snort系統(tǒng)的檢測效果。
[Abstract]:Intrusion detection can be divided into misuse detection and anomaly detection snort system as a typical misuse intrusion detection system using feature matching network intrusion detection system.The intrusion feature matching method used by Snort, which has open source code and plug-in mechanism, is a low level network packet signature matching method, which describes the intrusion feature in a more complex way and is not easy to understand.The attribute set of intrusion detection data set (KDD99) has a better abstract generalization of various intrusion features. Using the attribute set of KDD99 data set to carry out intrusion detection has better comprehensibility, more conciseness and higher efficiency.More accurate detection of various types of intrusion.In this study, the intrusion and feature attributes are classified and analyzed, and the information gain is calculated for each attribute of the attribute set, and the information gain is sorted according to the information gain from large to small.The improved Snort intrusion detection system with higher information gain has the advantages of high detection efficiency of misuse intrusion detection system, but it also has the weakness that unknown intrusion type can not be detected.In this paper, a simple outlier detection method based on deviation is designed and applied to Snort system. The improved Snort system has the ability to detect intrusion types with undefined intrusion features.Based on the detection flow of Snort system, a new intrusion detection process is designed in this paper. The off-line detection part and the on-line detection part are reasonably divided. The signature matching method used in the Snort system is taken as the on-line detection part.The outlier detection method is used as the part of offline detection, which ensures that the detection efficiency of Snort system is not reduced while the effect of intrusion detection is enhanced.Finally, it is verified by experiments that the designed outlier detection method based on deviation can effectively detect the intrusion types with undefined intrusion characteristics in the intrusion detection system.It can be applied to the improvement of Snort system to enhance the detection effect of Snort system.
【學位授予單位】：河北科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08;TP311.13

【參考文獻】

相關(guān)期刊論文 前5條

1 董斌;張少敏;王保義;;基于Agent和STAT的入侵檢測系統(tǒng)在電力信息系統(tǒng)的研究[J];電力自動化設備;2006年01期

2 江峰;杜軍威;眭躍飛;曹存根;;基于邊界和距離的離群點檢測[J];電子學報;2010年03期

3 李輝,韓崇昭,鄭慶華,昝鑫;一種基于交互式知識發(fā)現(xiàn)的入侵事件關(guān)聯(lián)方法研究[J];計算機研究與發(fā)展;2004年11期

4 閆少華;張巍;滕少華;;基于密度的離群點挖掘在入侵檢測中的應用[J];計算機工程;2011年18期

5 鄧磊;高德遠;;基于半監(jiān)督聚類的入侵檢測系統(tǒng)模型研究[J];西北工業(yè)大學學報;2010年04期

相關(guān)博士學位論文 前1條

1 張鳳斌;基于免疫遺傳算法的入侵檢測技術(shù)研究[D];哈爾濱工程大學;2005年

相關(guān)碩士學位論文 前1條

1 康振勇;網(wǎng)絡入侵檢測系統(tǒng)Snort的研究與改進[D];西安電子科技大學;2006年

，

本文編號：1750863