本文選題：流量矩陣 + 信息熵�。� 參考：《蘭州交通大學》2014年碩士論文

【摘要】：入侵檢測技術是繼防火墻和數(shù)據(jù)加密等傳統(tǒng)防護措施之后的一種具有主動性的防護技術，如何有效的檢測出網(wǎng)絡中存在的干擾網(wǎng)絡性能的異常事件并正確地判別出網(wǎng)絡異常的類型，以保證網(wǎng)絡的正常運轉(zhuǎn)，成為網(wǎng)絡安全領域重要的研究課題之一。 網(wǎng)絡異常具有突發(fā)性、不可預知性和復雜性等特點，異常事件的發(fā)生通常會引起網(wǎng)絡流量特征屬性的改變，相應地，任何網(wǎng)絡流量特征屬性的改變預示著若干個異常事件的發(fā)生。網(wǎng)絡流作為互聯(lián)網(wǎng)運作和管理的一種重要形式，包含有網(wǎng)絡通信中源/目的IP地址、源/目的端口和服務協(xié)議等特征屬性的信息。流量矩陣作為網(wǎng)絡流的一種重要組織方式，通常具有近似周期的正常成分、異常成分和噪聲成分三種，對網(wǎng)絡流量各個成分進行有效的分析處理成為入侵檢測系統(tǒng)對網(wǎng)絡異常進行檢測和分類研究的關鍵。本文將網(wǎng)絡中源-目的節(jié)點對之間的網(wǎng)絡流量構(gòu)建成矩陣形式作為入侵檢測系統(tǒng)重要輸入。 建立一種良好的網(wǎng)絡入侵檢測模型有助于更好的實現(xiàn)對網(wǎng)絡流量異常進行分析處理，提高入侵檢測系統(tǒng)的檢測率，降低系統(tǒng)的誤報率。在研究傳統(tǒng)入侵檢測方法和原理的基礎上，本文設計出一種基于網(wǎng)絡流量矩陣的入侵檢測模型，將網(wǎng)絡流量矩陣作為異常分析對象，包含流量數(shù)據(jù)收集、粗糙流量數(shù)據(jù)預處理、流量異常檢測、流量異常分類等多個功能模塊。為了實現(xiàn)對網(wǎng)絡異常更為準確的預警與分類功能，本文提出將基于PGM-NMF的異常檢測算法和基于聚類分析的異常分類算法分別用在異常檢測模塊和異常分類功能模塊中。 在上述模型設計的基礎上，本文給出了基于流量矩陣入侵檢測算法具體的設計過程，通過信息熵算法對原始的網(wǎng)絡流量數(shù)據(jù)進行預處理，，構(gòu)建基于信息熵的流量矩陣，并通過提出一種基于PGM-NMF的網(wǎng)絡流量異常檢測算法，實現(xiàn)對網(wǎng)絡流量正常子空間的構(gòu)建，在重構(gòu)誤差的基礎上，采用Q統(tǒng)計來判斷流量異常狀況。為了進一步確定網(wǎng)絡異常的類型，提出了一種基于聚類分析的網(wǎng)絡異常分類算法，將網(wǎng)絡異常聚類分析結(jié)果與異常特征模式庫進行匹配，達到準確判斷出網(wǎng)絡異常類型的目的。最后，論文通過仿真實驗對網(wǎng)絡異常檢測和分類性能進行驗證，相比于傳統(tǒng)入侵檢測方案，本文所設計的基于流量矩陣的網(wǎng)絡入侵檢測模型方案具有一定的優(yōu)越性。
[Abstract]:Intrusion detection technology is a kind of proactive protection technology after traditional protective measures such as firewall and data encryption. How to effectively detect the abnormal events that interfere with the network performance and correctly identify the types of network anomalies to ensure the normal operation of the network has become one of the important research topics in the field of network security. Network anomalies have the characteristics of sudden, unpredictable and complexity. The occurrence of abnormal events usually leads to the change of the characteristic attributes of network traffic. The change of characteristic attribute of any network traffic indicates the occurrence of several abnormal events. As an important form of Internet operation and management, network flow contains information of source / destination IP address, source / destination port and service protocol in network communication. As an important organization of network flow, flow matrix usually has three kinds of components: normal component, abnormal component and noise component, which are approximately periodic. Effective analysis and processing of each component of network traffic becomes the key of intrusion detection system (IDS) to detect and classify network anomalies. In this paper, the network traffic between the source and destination node pairs in the network is constructed into a matrix form as the important input of the intrusion detection system. Establishing a good network intrusion detection model is helpful to analyze and deal with the network traffic anomalies, improve the detection rate of intrusion detection system, and reduce the false alarm rate of the system. Based on the study of traditional intrusion detection methods and principles, this paper designs an intrusion detection model based on network traffic matrix, which takes network traffic matrix as anomaly analysis object, including traffic data collection, rough traffic data preprocessing. Flow anomaly detection, traffic anomaly classification and other functional modules. In order to achieve more accurate early warning and classification of network anomalies, this paper proposes to use anomaly detection algorithm based on PGM-NMF and anomaly classification algorithm based on clustering analysis in anomaly detection module and anomaly classification function module respectively. On the basis of the above model design, this paper gives the specific design process of intrusion detection algorithm based on traffic matrix. The information entropy algorithm is used to preprocess the original network traffic data, and the traffic matrix based on information entropy is constructed. A network traffic anomaly detection algorithm based on PGM-NMF is proposed to construct the normal subspace of network traffic. Based on the reconstruction error, Q statistics is used to judge the traffic anomaly. In order to further determine the types of network anomalies, a network anomaly classification algorithm based on clustering analysis is proposed. The results of network anomaly clustering analysis are matched with the abnormal feature pattern library, and the purpose of accurately judging the network anomaly types is achieved. Finally, the paper verifies the performance of network anomaly detection and classification through simulation experiments. Compared with the traditional intrusion detection scheme, the network intrusion detection model based on traffic matrix has some advantages.
【學位授予單位】：蘭州交通大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08

【相似文獻】

相關期刊論文 前10條

1 劉奇有,程思遠;淺談網(wǎng)絡入侵檢測技術[J];電信工程技術與標準化;2003年08期

2 袁暉;;網(wǎng)絡入侵檢測的技術難點研究[J];網(wǎng)絡安全技術與應用;2006年06期

3 王宏偉;;關聯(lián)規(guī)則挖掘技術在網(wǎng)絡入侵檢測中的應用[J];黃石理工學院學報;2006年03期

4 王丁;李向宏;運海紅;;對網(wǎng)絡入侵檢測的評估模型[J];應用能源技術;2006年05期

5 周荃;王崇駿;王s

本文編號：1900042