网络入侵检测系统中的漂移检测

doi:10.11959/j.issn.1000-0801.2015058

摘要/Abstract

摘要：

目前基于机器学习的入侵检测系统大都建立在入侵数据始终保持统计平稳的假设之上，无法应对攻击者有意改变数据特性或新型攻击方式的出现，而导致的检测率下降的状况。对于上述问题，即攻击漂移，提出了加权Rényi距离的检测方法。在KDD Cup99数据集上的实验证明，Rényi距离可以有效地增强检测效果；在检测到漂移后，通过重新训练模型可以使得对攻击的识别率显著提高。

关键词: 入侵检测, 攻击流量, 攻击漂移, 加权Rényi距离

Abstract:

The recent intrusion detection systems based on machine learning generally assume that the intrusion traffic always satisfies stationary of statistics.However,this assumption is not always held when adversaries arbitrarily alter the distribution of traffic data,or develop new attack techniques,which may reduce the detection rate.To overcome this adversarial drift,a novel drift detection approach based on weighted Rényi distance was suggested.The experiment on KDD Cup99 shows that the weighted Rényi distance is able to perfectly detect the adversarial drift,and improve the intrusion detection rate by retraining the model.

Key words: intrusion detection, attack traffic, adversarial drift, weighted Rényi distance

钱亚冠,关晓惠. 网络入侵检测系统中的漂移检测[J]. 电信科学, 2015, 31(3): 67-73.

Yaguan Qian,Xiaohui Guan. Adversarial Drift Detection in Intrusion Detection System[J]. Telecommunications Science, 2015, 31(3): 67-73.

图/表 12

表1

表2

表3

表4

图1

图2

图3

图4

图5

图6

图7

图8

参考文献 20

1	陆悠，李伟，罗军舟等. 一种基于选择性协同学习的网络用户异常行为检测方法. 计算机学报， 2014,37（1）:28～40 Lu Y , Li W , Luo J Z , et al. A network user's abnormal behavior detection approach based on selective collaborative learning. Chinese Journal of Computers, 2014,37（1）:28～40
2	张晓惠，林柏钢 . 基于特征选择和多分类支持向量机的异常检测. 通信学报， 2009,30（10A）:68～73 Zhang X H , Lin B G . Anomaly detection based on feature selection and multi-class support vector machines. Journal on Communications, 2009,30（10A）:68～73
3	李洋，方滨兴，郭莉等. 基于主动学习和 TCM-KNN 方法的有指导入侵检测技术. 计算机学报， 2007,30（8）:1464～1473 Li Y , Fang B X , Guo L et al. Supervised intrusion detection based on active learning and TCM-KNN algorithm. Chinese Journal of Computers, 2007,30（8）:1464～1473
4	Li Y , Li W , Wu G . An intrusion detection approach using SVM and multiple kernel method. International Journal of Advancements in Computing Technology, 2012,4（1）:463～469
5	Biggio B , Corona I , Nelson B et al. Security Evaluation of Support Vector Machines in Adversarial Environments. Berlin:Springer International Publishing, 2014
6	Damopoulos D , Menesidou S A , Kambourakis G et al. Evaluation of anomaly-based IDS for mobile devices using machine learning classifiers. Security and Communication Networks, 2012,5（1）:3～14
7	Laskov P , Lippmann R . Machine learning in adversarial environments. Machine Learning, 2010,81（2）:115～119
8	Singh A , Walenstein A , Lakhotia A . Tracking concept drift in malware families. Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, Raleigh,USA, 2012:81～92
9	Kantchelian A , Afroz S , Huang L et al. Approaches to adversarial drift.Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security. 2013:99～110
10	Barreno M , Nelson B , Joseph A D , et al. The security of machine learning. Machine Learning, 2010,81（2）:121～148
11	Newsome J , Karp B , Song D . Paragraph:Thwarting Signature Learning by Training Maliciously. Berlin:Springer Berlin Heidelberg, 2006
12	Tsymbal A . The problem of concept drift:definitions and related work. Computer Science Department, Trinity College Dublin, 2004
13	Widmer G , Kubat M . Learning in the presence of concept drift and hidden contexts. Machine Learning, 1996,23（1）:69～101
14	Zliobaite I . Learning Under Concept Drift:an Overview. Technical Report,Vilnius University, 2009
15	Kelly M G , Hand D J , Adams N M . The impact of changing populations on classifier performance. Proceedings of the Fifth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Diego, 1999:367～371
16	Van Erven T , Harremo?s P . Rényi divergence and majorization.Proceedings of 2010 IEEE International Symposium on Information Theory（ISIT）. Austin,Texas,USA, 2010:1335～1339
17	Yu S , Zhou W , Doss R . Information theory based detection against network behavior mimicking DDoS attacks. Communications Letters, 2008,12（4）:318～321
18	Jaynes E T . Information theory and statistical mechanics. Physical Review, 1957,106（4）
19	Shannon C E . A mathematical theory of communication. The Bell System Technical Journal, 1948（27）:379～423,623～656
20	Hettich S , Bay S D . KDD cup 1999. , 2007

DoS	数据集D1（flow数）	数据集D2（flow数）
apache2	/	794
Back	2 203	1 098
Land	21	9
Mailbomb	/	5 000
Neptune	107 201	58 001
Pod	264	87
Processtable	/	759
Smurf	280 790	164 091
Teardrop	979	12
Udpstorm	/	2

U2R	数据集D1（flow数）	数据集D2（flow数）
Buffer_overflow	30	22
Httptunnel	/	158
Loadmodule	9	2
Perl	3	2
Ps	/	16
Rootkit	10	13
Sqlattack	/	2
Xterm	/	13

Probe	数据集D1（flow数）	数据集D2（flow数）
Ipsweep	1 247	306
Mscan	/	1 053
Nmap	231	84
Portsweep	1 040	354
Saint	/	736
Satan	1 589	1 633

R2L	数据集D1（flow数）	数据集D2（flow数）
ftp_write	8	3
Guess_passwd	53	4 367
Imap	12	1

[1]	章坚武,黄佳森,周迪. 基于模糊理论与关联规则的入侵检测模型[J]. 电信科学, 2019, 35(5): 59-69.
[2]	沈士根,冯晟,周海平,黄龙军,胡珂立,曹奇英. 基于云计算和动态贝叶斯博弈的WSN恶意程序传播优化抑制方法[J]. 电信科学, 2018, 34(9): 78-86.
[3]	张春琴,谢立春. 云环境中改进FCM和规则参数优化的网络入侵检测方法[J]. 电信科学, 2018, 34(1): 72-79.
[4]	陆婷婷,韩旭. 面向MANET报文丢弃攻击的模糊入侵检测系统[J]. 电信科学, 2016, 32(10): 124-129.
[5]	邱菡,兰巨龙,欧阳峰,张传浩,王艳红. 面向融合网络的广电双向接入网入侵检测系统[J]. 电信科学, 2015, 31(6): 32-38.
[6]	关晓惠,钱亚冠. 一种基于不均衡数据的网络入侵流量分类方法[J]. 电信科学, 2015, 31(6): 79-85.
[7]	钱亚冠,关晓惠. 网络入侵检测系统中的漂移检测[J]. 电信科学, 2015, 31(3): 2015058-.
[8]	徐东亮,张宏莉,张磊,姚崇崇. 模式匹配在网络安全中的研究[J]. 电信科学, 2015, 31(3): 2015068-.
[9]	徐东亮,张宏莉,张磊,姚崇崇. 模式匹配在网络安全中的研究[J]. 电信科学, 2015, 31(3): 115-123.
[10]	王相林,朱　晨,孙冬梅,李明月,沈清姿. IPv6网络协议中邻居发现安全问题的研究[J]. 电信科学, 2013, 29(7): 43-48.
[11]	王相林,朱晨,孙冬梅,李明月,沈清姿. IPv6网络协议中分段机制安全问题的研究[J]. 电信科学, 2013, 29(10): 108-113.