基于数据包负载的网络入侵检测

6320076()JournalofJiangnanUniversity(NaturalScienceEdition)Vol.6No.3Jun.2007:1671-7147(2007)03-0271-04:2006-02-11;:2006-04-13.:(2004201).:(1980-),,,.3:(1964-),,,,..Email:fengyan@zju.edu.cn,3,(,310027):,,.,,,.,,.1999DARPAIDS,,80,100%,0.1%.:;;;:TP393.08:APacketPayloadBasedAnomalousNetworkIntrusionDetectionWANGRuiOjie,FENGyan3,LONGXiaoOfei(CollegeofComputerScience,ZhejiangUniversity,Hangzhou310027,China)Abstract:ThepaperpresentsapayloadObasedanomalydetectormodeldescribingthenormalpakcetpayloadofnetworktrafficinafullyautomatic,unsupervisedandveryeffecientfashion,forintrusiondetection.Wefirstlycomputeduringatrainingphaseaprofilebytefrequencydistributionandtheirstandarddeviationoftheapplicationpayloadflowingtoasinglehostandport.then,MahalanobisdistanceduringthedetectionphaseisusedtocalculatethesimilarityofnewdataagainstthepreOcomputedprofile.Thedetectorcomparesthismeasureagainstathresholdandgeneratesanalertwhenthedistanceofthenewinputexceedsthisthreshold.Thesurprisingeffectivenessofthemethodisdemonstratedforthe1999DARPAIDSdataset.Inonecasenearly100%accuracyisachievedwith0.1%falsepositiverateforport80traffic.Keywords:payload;anomalousdetection;intrusiondetection;Maharanobisdistance,SPADE[1],NIDES[2],PHAD[3]ALAD[4].,,,NETAD48B.Kruegel[5].,,.,.Kruegel,,(Mahalanobisdistance)...256ASCII..,...,,.,.1,nOgram,nOgram.nOgram,,,.nOgram1Ogram.,(,256,),.1.1nOgram.,,..,,.,(inboundtraffic)(outboundtraffic).,,20FTP,21FTP,22SSH,23Telnet,25SMTP,80Web.,.,.22,,,21.,,TCP,01460.,.(nonOprintable),().,,.,,.,nOgram[6],n=1.nOgramn.n,,,nnOgram.,nOgram(relativefrequencycount).nOgramnOgram,.1Ogram,256ASCII.,(averagefrequency),.,.,,,.1,2.,272()6Mij.ji,Mij..,5,10,,50.380180.x256ASC;y1Fig.1Examplebytedistributionsfordifferentports280Fig.2Examplebytedistributionfordifferentpayloadlengthsforport80onthesamehostserver3Fig.3Theaveragerelativefrequencyofeachbyte,andthestandarddeviationofthefrequencyofeachbyte1.2.,.,,,.:d2(x,…y)=(x-…y)TC-1(x-…y),xy,;x,y;C.,,;()..,,,:d(x,…y)=n-1i=0(|xi-…yi|/€i),i.,,.,,.,.10.,.2,1999DARPAIDS[7].MIT,5.3,.week1week3,week4week5.,5:(1),;(2)(100B),100B;(3)(100B),100B;(4),,3723:;(5),,1000B.4.45ROCFig.4ROCcurvesforthefivedifferentmodelsonthedetectionratesandfalsealarmrates.4,80.,,.,1%,60%.,1%,70%[8].1.11%Tab.1Overalldetectionrateofeachmodelwhenfalsepositiveratelowerthan1%/%58.8(100B)56.7(100B)47.456.752.63,.80,100%,0.1%,,.,,,.:[1]StanifordS,HoaglandJ,McAlerneyJ.Statisticalpacketanomalydetectionengine(SPADE)[J].SIGKDD,2000,1(6):208O223.[2]JavitsHS,ValdesA.TheNIDESStatisticalComponent:DescriptionandJustification[M].California:ComputerScienceLaboratory,SRIInternational.1993:2O6.[3]MahoneyM,ChanPK.Learningnonstationarymodelsofnormalnetworktrafficfordetectingnovelattacks[J].SIGKDD,2002,1(8):376O385.[4]MahoneyM.Networktrafficanomalydetectionbasedonpacketbytes[J].ACMSAC,2003,1(13):21O38.[5]KruegelC,TothT,KirdaE.ServiceSpecificAnomalyDetectionforNetworkIntrusionDetection[M].NewYork:SymposiumonAppliedComputing(SAC)ACMPress,2002:201O208.[6]DamashekM.GaugingsimilaritywithnOgrams:languageindependentcategorizationoftext[J].Science,1995,267:843O848.[7]LippmannR,HainesJ.The1999DARPAoffOlineintrusiondetectionevaluation[J].ComputerNetworks,2000,34(4):579O595.[8]MahoneyM,ChanPK.Ananalysisofthe1999DARPA/Lincolnlaboratoryevaluationdatafornetworkanomalydetection[J].RAID,2003,1(6):220O237.(:)472()6