ISSN 1000-1239 CN 11-1777/TP

• 论文 • 上一篇    下一篇

在线自适应网络异常检测系统模型与算法

魏小涛1 黄厚宽2 田盛丰2   

  1. 1(北京交通大学软件学院 北京 100044) 2(北京交通大学计算机与信息技术学院 北京 100044) (weixt@bjtu.edu.cn)
  • 出版日期: 2010-03-15

An Online Adaptive Network Anomaly Detection System-Model and Algorithm

Wei Xiaotao1, Huang Houkuan2, and Tian Shengfeng2   

  1. 1(School of Software, Beijing Jiaotong University, Beijing 100044) 2(School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044)
  • Online: 2010-03-15

摘要: 随着因特网等计算机网络应用的增加,安全问题越来越突出,对具有主动防御特征的入侵检测系统的需求日趋紧迫.提出一个轻量级的在线自适应网络异常检测系统模型,给出了相关算法.系统能够对实时网络数据流进行在线学习和检测,在少量指导下逐渐构建网络的正常模式库和入侵模式库,并根据网络使用特点动态进行更新.在检测阶段,系统能够对异常数据进行报警,并识别未曾见过的新入侵.系统结构简单,计算的时间复杂度和空间复杂度都很低,满足在线处理网络数据的要求.在DARPA KDD 99入侵检测数据集上进行测试,10%训练集数据和测试集数据以数据流方式顺序一次输入系统,在40s之内系统完成所有学习和检测任务,并达到检测率91.32% 和误报率0.43% 的结果.实验结果表明系统实用性强,检测效果令人满意,而且在识别新入侵上有良好的表现.

关键词: 网络入侵检测, 在线自适应, 影响度函数, 数据流, 异常检测

Abstract: The extensive usage of Internet and computer networks makes security a critical issue. There is an urgent need for network intrusion detection systems which can actively defend networks against the growing security threats. In this paper, a light weighted online adaptive network anomaly detection system model is presented. The related influence function based anomaly detection algorithm is also provided. The system can process network traffic data stream in real-time, gradually build up its local normal pattern base and intrusion pattern base under a little supervising of the administrator, and dynamically update the contents of the knowledge base according to the changing of the network application patterns. At the checking mode, the system can detect not only the learned intrusion patterns but also the unseen intrusion patterns. The model has a relatively simple architecture, which makes it efficient for processing online network traffic data. Also the detecting algorithm takes little computational time and memory space. The system is tested on the DARPA KDD 99 intrusion detection datasets. It scans 10% of the training dataset and the testing dataset only once. Within 40 seconds the system can finish the whole learning and checking tasks. The experimental results show that the presented model achieves a detection rate of 91.32% and a false positive rate of only 0.43%. It is also capable of detecting new type of intrusions.

Key words: network anomaly detection, online adaptive, influence function, data stream, anomaly detection