基于信息论的入侵检测最佳响应方案

doi:10.11959/j.issn.1000-436x.2020111

通信学报 ›› 2020, Vol. 41 ›› Issue (7): 121-130.doi: 10.11959/j.issn.1000-436x.2020111

基于信息论的入侵检测最佳响应方案

田有亮^1,^2,³,吴雨龙^1,²,李秋贤^1,²

¹ 贵州大学计算机科学与技术学院，贵州贵阳 550025
² 贵州省公共大数据重点实验室，贵州贵阳 550025
³ 贵州大学密码学与数据安全研究所，贵州贵阳 550025

修回日期:2020-04-14 出版日期:2020-07-25 发布日期:2020-08-01
作者简介:田有亮（1982– ），男，贵州盘县人，博士，贵州大学教授，主要研究方向为博弈论、密码学与安全协议|吴雨龙（1995– ），男，贵州贵阳人，贵州大学硕士生，主要研究方向为密码学与网络安全|李秋贤（1992– ），女，河南温县人，贵州大学硕士生，主要研究方向为密码学与理性密码协议
基金资助:
国家自然科学基金资助项目(U1836205);国家自然科学基金资助项目(61662009);国家自然科学基金资助项目(61772008);贵州省教育厅科技拔尖人才支持基金资助项目([2016]060);贵州省科技重大专项计划基金资助项目(20183001);贵州省科技计划基金资助项目([2017]5788);教育部-中国移动科研基金研发基金资助项目(MCM20170401);贵州省联合基金资助项目(LKT201216);贵州省联合基金资助项目(LH20147476)

Optimum response scheme of intrusion detection based on information theory

Youliang TIAN^1,^2,³,Yulong WU^1,²,Qiuxian LI^1,²

¹ College of Computer Science and Technology,Guizhou University,Guiyang 550025,China
² Guizhou Provincial Key Laboratory of Public Big Data,Guiyang 550025,China
³ Institute of Cryptography ＆Data Security,Guizhou University,Guiyang 550025,China

Revised:2020-04-14 Online:2020-07-25 Published:2020-08-01
Supported by:
The National Natural Science Foundation of China(U1836205);The National Natural Science Foundation of China(61662009);The National Natural Science Foundation of China(61772008);The Guizhou Provincial Department of Education Science and Technology Top Talent Support Project([2016]060);The Science and Technology Major Support Program of Guizhou Province(20183001);The Guizhou Provincial Science and Technology Plan Project([2017]5788);The Ministry of Education-China Mobile Research Fund Project(MCM20170401);The Joint Science and Technology Foundation of Guizhou Province(LKT201216);The Joint Science and Technology Foundation of Guizhou Province(LH20147476)

摘要/Abstract

摘要：

入侵检测系统经常不可避免地出现误警、漏警错误而导致系统的重大安全隐患，然而当前未能找到一种行之有效的解决方案。针对该问题，提出一种基于信息论的入侵检测最佳响应模型。首先，将入侵检测过程中的入侵者和入侵检测系统抽象成随机变量，并根据对抗结果构建了入侵者和入侵检测系统的攻防模型。其次，根据攻防模型设计入侵检测系统的防守信道，将入侵检测系统的正确检测转换成防守信道成功传输1 bit信息问题。最后，通过分析防守信道的信道容量来衡量系统防守能力，其防守信道的最大互信息量就是入侵检测系统的防守极限能力，其对应的策略分布就是系统的防守能力最佳响应策略。实验结果表明，所提方案能够有效地降低系统误警和漏警所造成损失。

关键词: 入侵检测系统, 平均互信息量, 信道容量, 检测率, 响应方案

Abstract:

Intrusion detection system (IDS) often inevitably presents major security risks caused by FPs and FNs.However,at present,an effective solution has not been found.In order to solve this problem,an optimal response model of intrusion detection based on information theory was proposed.Firstly,the intruder and IDS in the process of intrusion detection were abstracted into random variables,and the attack and defense model of intruder and IDS was constructed according to the results of the confrontation.Secondly,the defense channel of IDS was designed according to the attack and defense model,then the correct detection of IDS was transformed into the problem of successful transmission of 1 bit information in defensive channel.Finally,the defensive capability of the system was measured by analyzing the channel capacity of the defensive channel,the maximum mutual information of the defensive channel was the defensive limit capability of the IDS,and the corresponding strategy distribution was the optimal response strategy of the defensive capability of the system.The experimental results show that the scheme can effectively reduce the loss caused by FPs and FNs.

Key words: intrusion detection system, average mutual information, channel capacity, detection rate, response scheme

中图分类号:

TP309

田有亮,吴雨龙,李秋贤. 基于信息论的入侵检测最佳响应方案[J]. 通信学报, 2020, 41(7): 121-130.

Youliang TIAN,Yulong WU,Qiuxian LI. Optimum response scheme of intrusion detection based on information theory[J]. Journal on Communications, 2020, 41(7): 121-130.

图/表 9

表1

表2

表3

图1

图2

图3

图4

图5

表4

参考文献 31

[1]	WU S X , BANZHAF W W . The use of computational intelligence in intrusion detection systems:a review[J]. Applied Soft Computing, 2010,10(1): 1-35.
[2]	ZHU J M , RAGHUNATHAN S . Evaluation model of information security technologies based on game theoretic[J]. Chinese Journal of Computers, 2009,32(4): 828-834.
[3]	RHEE H , RYU Y . Evaluation of intrusion detection systems under a resource constraint[J]. ACM Transaction on Information and System Security, 2008,11(4): 95-118.
[4]	CAVUSOGLU H , RAGHUNATHAN M S . The value of intrusion detection systems in information technology security architecture[J]. Information Systems Research, 2005,16(1): 28-46.
[5]	TIAN Y L , LI Q X , HU J ,et al. Secure limitation analysis of public-key cryptography for smart card settings[J]. World Wide Web, 2020(23): 1423-1440.
[6]	SUBBA B , BISWAS S , KARMAKAR S . False alarm reduction in signature-based IDS:game theory approach[J]. Security and Communication Networks, 2016,9(18): 4865-4881.
[7]	ANDERSON J P . Computer security threat monitoring and surveillance[Z].[S.n.:s.l.],(1980-04-15)[2020-03-24]. [S.n.:s.l.],
[8]	DENNING D E . An intrusion-detection model[J]. IEEE Transactions on Software Engineering, 1987,13(2): 222-232.
[9]	ATHANASIADES N , ABLER R , LEVINE J ,et al. Intrusion detection testing and benchmarking methodologies[J]. IEEE Proceedings First IEEE International Workshop on Information Assurance, 2003: 63-72.
[10]	JIANG J C , MA H T , REN D E ,et al. A survey of intrusion detection research on network security[J]. Journal of Software, 2000,11(11): 1460-1466.
[11]	PAXSON V . Bro:a system for detecting network intruders in realtime[J]. Computer Networks, 1999,31(23-24): 2435-2463.
[12]	GARCíA-TEODORO P , DíAZ-VERDEJO P , MACIá-FERNáNDEZ G .et al. Anomaly-based network intrusion detection:techniques,systems and challenges[J]. Computers ＆ Security, 2009,28(1-2): 18-28.
[13]	LIN W C , KE S W , TSAI C F . CANN:an intrusion detection system based on combining cluster centers and nearest neighbors[J]. Knowledge-Based Systems, 2015,78: 13-21.
[14]	CHEN P , DESMET L , HUYGENS C . A study on advanced persistent threats[C]// 15th International Conference on Communications and Multimedia Security. New York:ACM Press, 2014: 63-72.
[15]	FRIEDBERG I , SKOPIK F , SETTANNI G ,et al. Combating advanced persistent threats[J]. Computers ＆ Security, 2015,48(C): 35-57.
[16]	ZHANG Y , PAN X M , QING Z L ,et al. APT attacks and defenses[J]. Journal of Tsinghua University (Science and Technology), 2017(11): 10-16.
[17]	RUBIO J E , ALCARAZ C , ROMAN R ,et al. Current cyber-defense trends in industrial control systems[J]. Computers ＆ Security, 2019:87.
[18]	LUH R , JANICKE H , SCHRITTWIESER S . AIDIS:detecting and classifying anomalous behavior in ubiquitous kernel processes[J]. Computers ＆ Security, 2019(84): 120-147.
[19]	MOON D , IM H , KIM I ,et al. DTB-IDS:an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks[J]. The Journal of Supercomputing, 2015(73): 1-15.
[20]	VRIES J D , HOOGSTRAATEN H , BERG J V D ,et al. Systems for detecting advanced persistent threats:a development roadmap using intelligent data analysis[C]// International Conference on Cyber Security. Piscataway:IEEE Press, 2013.
[21]	PIETRASZEK T , . Using adaptive alert classification to reduce false positives in intrusion detection[C]// International Workshop on Recent Advances in Intrusion Detection—RAID 2004. Berlin:Springer, 2004: 102-124.
[22]	HACHMI F , BOUJENFA K , LIMAM M . Enhancing the accuracy of intrusion detection systems by reducing the rates of false positives and false negatives through multi-objective optimization[J]. Journal of Network ＆ Systems Management, 2019,27(1): 93-120.
[23]	ZONOUZ S A , KHURANA H , SANDERS W H ,et al. RRE:a game-theoretic intrusion Response and Recovery Engine[J]. IEEE Transactions on Parallel and Distributed systems, 2013,25(2): 395-406.
[24]	CUPPENS N , CUPPENS F , VERAGRA J ,et al. An ontology-based approach to react to network attacks[J]. International Journal of Information ＆ Computer Security, 2008,3(3/4): 280-305.
[25]	吴姚睿, 刘淑芬 . 基于攻击群模型的协同入侵的响应方法[J]. 电子学报, 2009,37(11): 2416-2419.
	WU Y R , LIU S F . A response method for cooperative intrusions based on the attack group model[J]. Acta Electronica Sinica, 2009,37(11): 2416-2419.
[26]	TIAN Y L , GUO J , WU Y L ,et al. Towards attack and defense views of rational delegation of computation[J]. IEEE Access, 2019,PP(99):1.
[27]	杨义先, 钮心忻 . 安全通讯[M]. 北京: 电子工业出版社, 2018.
	YANG Y X , NIU X X . The general theory of information security[M]. Beijing: Publishing House of Electronics IndustryPress, 2018.
[28]	LIN W C , KE S W , TSAI C F . CANN:an intrusion detection system based on combining cluster centers and nearest neighbors[J]. Knowledge-Based Systems, 2015(78): 13-21.
[29]	MOUSTAFA N , SLAY J . UNSW-NB15:a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)[C]// 2015 Military Communications and Information Systems Conference. Piscataway:IEEE Press, 2015: 1-6.
[30]	MOUSTAFA N , SLAY J . The evaluation of network anomaly detection systems:statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set[J]. Information Security Journal A Global Perspective, 2016,25(1-3): 1-14.
[31]	彭凌西, 谢冬青, 付颖芳 ,等. 基于危险理论的自动入侵响应系统模型[J]. 通信学报, 2012,33(1): 136-144.
	PENG L X , XIE D Q , FU Y F ,et al. Automated intrusion response system model based on danger theory[J]. Journal on Communications, 2012,33(1): 136-144.

事件描述	执行检查	事件概率	X	Y	防守期望开销
攻击者入侵，IDS报警	是	P ₁ρ₁	0	1	P ₁ρ₁c+(1-?)dP₁ρ₁
	否	P ₁(1-ρ₁)	1	0	P ₁(1-ρ)d1
攻击者入侵，IDS未报警	是	P ₂ρ₂	0	1	P ₂ρ₂c+(1-?)dP₂ρ₂
	否	P ₂(1-ρ₂)	1	0	P ₂(1-ρ)d2
攻击者未入侵，IDS报警	是	P ₃ρ₁	0	0	P ₃ρ₁c
	否	P ₃(1-ρ₁)	0	1	0
攻击者未入侵，IDS未报警	是	P ₄ρ₂	0	0	P ₄ρ₂c
	否	P ₄(1-ρ₂)	0	1	0

类别	统计数/条
正常事件	37 000
Fuzzers攻击	677
分析攻击	583
拒绝服务攻击	11 132
Exploits漏洞攻击	6 062
泛型攻击	18 871
侦察攻击	3 496
Shellcode攻击	378
蠕虫攻击	44
合计	82 332

参数描述	参数值
IDS的正确检测率P_C	51.5%
IDS的漏检率1-P_C	48.5%
IDS的误警报率P_F	30.7%
系统遭受攻击的平均概率φ	55.1%
管理员对一次事件进行响应的开销c	20
防守方未对一次攻击执行响应的损失d	50
响应攻击所减少损失的比例?	80%

方案	响应准确率	系统开销/bit
本文方案	61.2%	2 170 691
文献[3]方案	47.6%	2 402 100
文献[4]方案	55.3%	1 981 301
完全信任IDS方案	41.5%	2 031 310

基于信息论的入侵检测最佳响应方案

Optimum response scheme of intrusion detection based on information theory

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 31

相关文章 15

Metrics

推荐阅读 0

[1]	陈生海, 言小琴, 黎赛, 杨亮. 混合双跳PLC-FSO通信系统的性能分析[J]. 通信学报, 2021, 42(10): 243-250.
[2]	孙伟,张鹏,何永全,邢丽超. 内网环境下基于时空事件关联的攻击检测方法[J]. 通信学报, 2020, 41(1): 33-41.
[3]	宋鹏,苏彩霞,赵太飞,陈锦妮,朱磊,张晓丹. 基于遍历微小单元法非直视非共面紫外光通信信道容量分析[J]. 通信学报, 2019, 40(5): 144-152.
[4]	姚信威,章梦娜,王超超,王万良. 基于混合储能和能量捕获的多接入信道容量建模与分析[J]. 通信学报, 2018, 39(8): 150-159.
[5]	刘新宇,翁健,张悦,冯丙文,翁嘉思. 基于APK签名信息反馈的Android恶意应用检测[J]. 通信学报, 2017, 38(5): 190-198.
[6]	张翅,曾碧卿,杨劲松,谢晓虹. OFDMA认知无线电网络中面向需求的频谱共享[J]. 通信学报, 2015, 36(8): 192-206.
[7]	彭文杰,李岳衡,薛团结,居美艳,黄平. 复合衰落信道下分布式MIMO系统中断概率及信道容量分析[J]. 通信学报, 2015, 36(2): 221-230.
[8]	黎昞1，魏帆1，白宝明1，马啸2. CPM编码调制系统的基本性能限[J]. 通信学报, 2014, 35(3): 21-192.
[9]	黎昞,魏帆,白宝明,马啸. CPM编码调制系统的基本性能限[J]. 通信学报, 2014, 35(3): 183-192.
[10]	周杰,邱琳,菊池久和. 基于电磁矢量传感器的MIMO天线阵列系统研究[J]. 通信学报, 2013, 34(5): 1-11.
[11]	周杰1,2，邱琳1，菊池久和2. 基于电磁矢量传感器的MIMO多天线阵列系统研究[J]. 通信学报, 2013, 34(5): 1-11.
[12]	罗万团,方旭明,程梦,周祥娟. 高速列车车载多天线系统传输方案及容量分析[J]. 通信学报, 2013, 34(3): 90-98.
[13]	胥小波,蒋琴琴,郑康锋,武斌,杨义先. 基于混沌粒子群的IDS告警聚类算法[J]. 通信学报, 2013, 34(3): 105-110.
[14]	周杰,陈靖峰,邱琳,菊池久和. 三维空间MIMO信道接收天线阵列互耦效应及系统容量分析[J]. 通信学报, 2012, 33(6): 1-10.
[15]	陈岳兵,冯超,张权,唐朝京. 面向入侵检测的集成人工免疫系统[J]. 通信学报, 2012, 33(2): 125-131.