网络入侵检测论文网络入侵异常检测的统计方法研究.doc

网络入侵检测论文：网络入侵异常检测的统计方法研究【中文摘要】随着互联网进入生活的各方各面,网络入侵也日益成为人们面临的安全问题。因此,有效地检测到网络入侵行为具有十分重要的意义。网络入侵检测方法分为基于特征的入侵检测和异常行为检测。基于特征的检测主要针对已知的攻击行为,异常行为检测则是通过网络的异常来实现检测。但目前的方法,都存在着误报警率高的问题。对未知入侵行为的有效检测一直是人们研究的热点问题。网络的异常行为可能是因为攻击,也可能不是因为攻击,但对网络正常运行来说,都是值得注意的。本文采用统计的方法来对异常行为进行检测,而不检测出现何种攻击：论文首先对正常行为的网络实验数据进行统计采集,获得正常行为的统计特征参数；然后统计分析含有入侵的数据,获得入侵行为影响到的主要特征参数；提出采用参数检验的方法和基于距离判别的方法来实时检测异常行为,并通过实验数据进行检验。主要的研究包括：(1)介绍了在网络入侵检测系统中广泛应用的Lincoln实验室的网络入侵的数据集；探讨和研究了snort等网络入侵检测系统,并设计了采集网络入侵数据集的算法；分析了网络入侵的主要方式,并对数据集中出现的网络入侵进行原理分析,分析其表现出来的异常统计特征。(2)通过对网络入侵特征的分析,获得一些能够反应网络入侵的统计特征参数,确定了需要统计的网络行为统计特征,如IP流量、ICMP流量、端口访问量等；利用设计的采集系统采集正常流量数据,获得正常网络流数据的统计特征；采集含网络入侵行为的数据集,并对比网络中正常数据流和入侵数据流的的统计特征,证实了某些统计参数特征能正确反应入侵的行为。(3)提出网络异常行为的参数检验方法,对正常情况下的统计获得正常样本的经验分布,当某种统计特征数值出现在正常样本经验分布的小概率事件范围时,可以判断其出现了异常；提出基于距离判别的方法来实时检测异常行为,在综合各种入侵特征的基础上,给出一组特征组成测试样本向量,对正常情况下各个特征统计出样本向量的样本均值和样本协方差矩阵,求出检验样本向量是否与正常网络流有较大的距离,从而判断是否出现了网络异常。【英文摘要】With the popular application in social life, the network intrusion becomes an emergency threat. So it is significant important to detect the network intrusion effectively. The network intrusions are divided into two categories:the detection method based on intrusion features and the anomaly detection. The former is aim to detect the known attack behave and the later is based on the anomaly behaviors of network flows. Both of them are suffered from the high rate of mis-alarm.It is both worthy of paying attention to for the network maintainer whether the network anomaly behave is intrusion or not. This thesis is devoted to detect the network anomaly, not to determinate which attack has happened or even whether it is an attack. The thesis firstly designs a data collection method for the experiment dataset and obtains the statistical parameter features under the normal condition and the intrusion condition. The parameter test method and distance distinguish method are employed to detect he abnormal behave. The experiment results are given based on the famous experiment dataset. The main researches include the following aspects:(1) The network intrusion experiment dataset from Lincoln lab is introduced which is famous and widely used in network intrusion detection system. The famous IDS system snort is analysized and a data collection algorithm is designed based on snort. The network intrusion theorem and the statistical features of these intrusion behave are also discussed.(2) Through the analysis of network intrusion features, the statistical parameters for intrusion behaves are obtained, such as IP flow, ICMP flow, port visited number and so on. The statistical features for normal network flow and abnormal flow are obtained by collecting and analysis of the dataset with the data collection system. With the comparison for the statistical features between that from normal flow and abnormal flow, it is proved that the statistical features selected can indeed reflect the intrusion.(3) The network abnormal behave detection method based on parameter test is presented. The experience distribution for normal network flow is given. When the sample data is distributed beyond the normal range of the experience distribution, it can be deduced to be a abnormal behave. A distance discrimination detection method is presented which can consider several statistical features at the same time. The sample means and covariance matrix under the normal network environment are statistically calculated. The distinguishing between the normal or abnormal behave are based on the distance between test sample with the sample mean vector.【关键词】网络入侵检测 异常检测 统计特征 参数检验 距离判别【英文关键词】network intrusion detection anomaly detection statistical feature parameter test distance discrimination【目录】网络入侵异常检测的统计方法研究摘要5-6Abstract6第一章 绪论10-211.1 引言101.2 网络入侵检测系统10-161.2.1 网络入侵检测的概念10-131.2.2 网络入侵检测的分类13-141.2.3 网络入侵检测目前存在系统14-161.2.4 网络入侵检测系统中存在的问题161.3 网络异常行为检测16-201.3.1 异常行为检测的原理16-181.3.2 网络异常检测的研究方法18-191.3.3 网络异常检测的存在的问题19-201.4 本文的研究内容及组织结构20-21第二章 网络入侵数据的采集及入侵特征分析21-332.1 网络入侵数据集的介绍21-222.2 网络入侵实验数据采集22-292.2.1 Lincoln实验室入侵实验数据22-262.2.2 数据集的采集方法26-272.2.3 数据集的采集及分析示例27-292.3 网络入侵特征分析29-322.3.1 网络入侵的种类292.3.2 网络入侵的原理及统计特征分析29-322.4 本章小结32-33第三章 网络入侵行为的数据统计特征分析33-473.1 协议包的流量特征分析33-373.1.1 刻画包流量的统计量及统计方法333.1.2 IP包流量的特征统计33-343.1.3 ICMP包流量的特征统计34-353.1.4 TCP包流量的特征统计35-363.1.5 UDP包流量的特征统计36-373.2 网络来源统计特征分析37-413.2.1 不同时间窗内出现的不同IP的个数37-383.2.2 不同时间窗内出现的携带ICMP的IP包的不同地址的个数38-393.2.3 不同时间窗内出现的携带TCP的IP包的不同地址的个数39-403.2.4 不同时间窗内IP地址的TCP,UDP包不同端口的平均数40-413.3 网络行为的统计特征分析41-453.3.1 不同时间窗内IP地址的IP包数的平均数、最大值、最小值423.3.2 不同时间窗内IP地址的ICMP包的平均数,最大值,最小值42-433.3.3 不同时间窗内IP地址的TCP,UDP包的平均数43-443.3.4 不同时间窗内IP地址发起连接的TCP包的平均数,最大值44-453.4 网络异常行为对流量的影响45-463.5 本章小结46-47第四章 网络入侵行为的统计检