11基于数据挖掘的入侵检测技术研究1

上海交通大学硕士学位论文基于数据挖掘的入侵检测技术研究姓名：吉磊申请学位级别：硕士专业：通信与信息系统指导教师：薛质20070101InternetK-AprioriAprioriRESEARCHOFINTRUTIONDETECTIONTECHNOLOGYBASEDONDATAMININGABSTRACTWiththedevelopmentofInternet,thenetworkplaysanincreasinglysignificantroleinthedailylife.However,theintrutionandattackfromthenetworkdamagesthestabilityinthesecurity,economyandotheraspectsinthesociety.Sotheinformationsecurityissueisguaduallybecomingthehottestpoint.IntrutionDetectionisoneofthemostimportantpartsintheinformationsecutitytechnology,includingtheloganalysis,vulnerabilitydetectionandsoon.Almostallthetechnologiespartlyrelyonthedevelopmentofthedataanalysisandcomputationtechnology,includingdatamining.Dataminingtechnologycombinedthestatisticsandcomputation,cangettheusefulandprotentialinformationfromthelargemountofdata,soitcandescribethefutureactivityortrendoftheentitiesonthenetworkandhelptothedecisionmakingforsecuritybygnenratingthesetsofthetherulesgotfromthedataforguidance.Basedonthefurtherunderstadingofthedataminingalgorithm,inthepaper,theApriorialgorithmwasimprovedinthenewproposedframeworkofIntrutionDetectionSystembasedonthedatamining,includingtheClusteringAnalysis,AssociationAnalysisandsequenceanalysis.Bythenewsystem,thecharacteristicofthepacketsforattackandthemodeloftheattacksequencecanbeeasilygenerated,sotheintrutionmodelcanalsobeobtained.Inthispaper,theconceptiononinformationsecurity,intrutiondetectionandsecuritylogauditionisintroducedinthefirstthreepartrespectivelythefourthpartintroducesthedataminingindetailthefifthpartexplainsthenecesscityandthenewframeworkoftheIDSwithdatamining,andthesixthpartisabouttheexperimentandtheimprovementontheApriorialgorithm.KEYWORDSIntrutionDetection,DataMining,ClusteringAnalysis,AssociationAnalysis,AprioriAlgorithm200711120071112007111111.1Internet(CNNIC)20061[1]111007.8%49508.6%6942002.5%136106M1664.7%Internet1.220100InputIT200860[1]4[2]2(1)“”3(2)(3)1022(4)“”Microsoftwindows“”“”3(IntrusionDetectiveSystem,IDS)IDS1.3K-Apriori422.1()[3](1)(2)(3)(4)(5)2-1Fig2-1TheprincipleoftheIDS5(IntrusionDetectionSystemIDS)IDSIDS;2-22-2Fig.2-2ThestructureofIDS(1)()(2)()(3)2.2(Host-based)(Network-based)62.2.1(HIDS)HIDS(Host-BasedIntrusionDetectionSystem,HIDS)DenningHIDSAPIIDSHIDS72.2.2(NIDS)(Network-BasedIntrusionDetectionSystem,NIDS)IDSNIDSNIDSNetSTATIDSNIDSNIDSNIDSHIDSNIDSIDSIDSIDSIDSTCPIDSNIDSNIDSNIDSIDSIPv62.2.3(DIDS)8IDS(DistributedIntrusionDetectionSystem,DIDS)IDSIDSIDSIDSDIDS(CommonIntrusionDetectionFramework,CIDF)CIDFIDES2-3GIDGID2-3CIDFFig2-3ThestructureofCIDFCIDFIDS2-3(GIDO)GIDO9CIDFCommonIntrusionSpecificationLanguageCISLCIDFCIDFCIDFIDSCIDF(Agent)IDS2.3(AnomalyDetection)(MisuseDetection)2.3.1(AnomalyDetection)2-4Fig2-4thestructureofAnomalyDetection10(1)IDES(IntrusionDetectionExpertSystem)NIDES(Next-generationIntrusionDetectionExpertSystem)5a.b.c.d.11e.(2)(3)12LosAlamosOakRidgeWisdomandSense(W&S)(DEC)Teng,ChenLuTime-BasedInductiveMachine(TIM)TIMTIM/2.3.2(MisuseDetection)2-5Fig2-5thestructureofMisuseDetection(Knowledge-basedDetection)(Signature-BasedDetection)13(1)MIDAS(MulticsIntrusionDetectionandAlertingSystem)IDESNIDES(NextGenerationIDES)CMDSMIDASIDESNIDESP-BEST(Production-BasedExpertSystemTool)DIDSCMDSCLIPSIF-THENIFTHENa.b.(BlackBox)(2)2Petri-Net14STAT(StateTransitionAnalysisTechnique)USTAT(StateTransitionAnalysisToolforUNIX)(signatureactions)(compromisedstate)Petri(CP-NET)PurdueUniversitySandeepKumarGeneSpaffordIDIOTCP-NetsPetri(3)2.4(1)15(2)CybersafeCentraxeNTraxWindowNTWindowsNTRegistry2.5(1)90%RealSecure,NID,ShadowNetRanger(2),2.6IDSIDS(1)IDS16IDSCIDFIDSGrIDSEMER-ALD(2)IDSWEBLotusNotes(3)IDS(4)IDSIDSIDSIDSIDS(5)VPNPKIXSET(1)CiscoNetRanger;(2)InternetSecuritySystemRealSecure;(3)2.7SnortSnort(NetworkIntrusionDetectionSystemNIDS)SnortLibpcapLibpcap/SnortSnort17syslogUNIXWinPopupSnortSnorttcpdumpASCII2-6SnortFig2-6thestructureofSnortSnortSnort2-6(1)Snort(2)SnortSnort/IPTCPICMPSnort(3)/tcpdumpsyslog//var/loglsnort//var/log/snort/alertsSnortASCII(1)Snort(2)SnortSnort(3)Snort18(4)IncludeFilesSnort(5)SnortSnortSnortSnortIP###Defineournetworkandothernetwork##varOURNET208.177.13.0/24varOTHERNET!$OURNETvarNIDSHOST208.177.13.251varPORTS10varSECS3###Logrules##logtcp$OTHERNETany$OURNET23logtcp$OTHERNETany$OURNET21logtcp$OTHERNETany$OURNET79###AlertRules##alertudpanyany$OURNET53(msg:UDPIDS/DNS-version-query;content:version;)alerttcpanyany$OURNET53(msg:TCPIDS/DNS-version-query;content:version;)alerttcpanyany$OURNET80(msg:PHFattempt;content:/cgi-bin/phf;)###Loadportscanpre-processorforportscanalerts##preprocessorportscan:$OTHERNETSPORTS$SECS/var/log/snort/pscanalertspreprocessorportscan-ignorehosts:$OURNET###PassRules(Ignore)##passtcp$OURNETany$OTHERNET80passudpany1024:any1024:passtcpany22$NIDSHOST22Telnet,FTPfinger.19//var/log/snort/pscan-alerts;PHFDNS1024UDP;WebSSLSnortTCP/UDP/ICMP#Snort-vdSnort//var/lotoday.log#Snort-dev-1/var/log/today.logSnort1e0//etc/Snort.rules#Snort-D-i1e0-c/etc/Snort.rulesSnortAlert,Pass,LogPass,Alert,Log-Afull,fast,noneunsock,Full,none,fastunsockSnortUNIXSnortSnortTelnet,FTPfingerScannerIISUnicodeS