【作者】 郭如冰；

【导师】 周炎涛； 李肯立；

【作者基本信息】 湖南大学 ， 计算机应用技术， 2006， 硕士

【摘要】 随着Internet的迅速发展,在其基础上的各种应用也越来越多,如电子商务、电子政务、网上交易系统、网上教育等。与此同时,黑客入侵事件也日益猖獗,网络安全的重要性越发显现出来,人们发现只从防御的角度构建安全系统是不够的。入侵检测技术是继“防火墙”、“数据加密”等传统安全保护措施后新一代的动态安全防护技术,它能够对计算机和网络资源上的恶意行为进行识别和响应,它不仅能检测来自外部的入侵行为,也能监督内部用户的未授权活动,它克服了防火墙不能实时检测入侵和不能发现网络内部攻击的缺点。基于网络的入侵检测系统由于具有独立于主机操作系统、实时的检测和响应等特点,在入侵检测的研究领域受到了越来越多的重视。然而,传统的基于网络的入侵检测系统的分析对象通常都是单一的网络数据包,这就造成了传统的NIDS仅能对孤立的网络事件进行分类。针对NIDS的这一特性,本文提出一种新型的面向网络的二层式多数据包分析入侵检测算法模型。该算法模型是在传统的入侵检测的CIDF体系结构的基础上建立的。在这一模型中,事件分析器对当前事件分两层进行处理,首先,事件分析器将当前事件与历史事件使用层次聚类中的凝聚算法进行关联分类,找出与当前事件关联紧密的历史事件;然后,事件分析器对包含当前事件的这一类关联事件集采用前馈神经网络进行回归分析,最终得出当前事件是否为一个协作入侵事件中的分支。为了测试这一算法模型,本文设计了对模型的仿真实验。实验中我们首先测试凝聚算法对网络数据流的聚类能力;然后,使用测试数据集对二层式算法进行了整体测试。测试表明,凝聚算法能够正确的对网络数据流进行关联聚类,同时通过对FTP用户口令穷举攻击进行了仿真测试表明,该模型能够检测出分布式FTP入侵行为。对于其他分布式入侵行为的检测能力仍须进一步的测试。更多还原

【Abstract】 With the rapid development of Internet, people demand more and more extensive application of it, such as Electronic Commerce, Electronic Government Affair, Online Trading Platform, Online Education and so on. However the increase in intrusion affair is accelerating. And this made the importance of Network Security showed up. People found it is not enough that designing Security System just from the angle of defence. As the new dynamic security measure following the Firewall and Data Encipherment, Intrusion Detection System can identify the illegal act in network, and respond to it. Not only can the IDS detect the intrusion affair from external network, but also can detect the affair from internal network. And the problem that Firewall cannot detect the intrusion in real time and cannot detect the attack from internal network is conquered by IDS.Network-based Intrusion Detection System is usually independent from the host operational system, the detection and the response is get in real time on that system. So the research of NIDS has got more and more regard in Intrusion Detection research. However the single network data packet is the only analytic object on traditional Network Intrusion Detection System ordinarily, so traditional Network Intrusion Detection System usually can only class the isolated network affairs.Aimed at this problem, a new network intrusion detection model was proposed in this paper. It based on Common Intrusion Detection Framework(CIDF)--the traditional Intrusion Detection architecture. In our model the Analysis-Box was separated into two layers. On the first layer, the cluster arithmetic was used to analyse Network data packet which include the currently packet and historical packet. Some historical affair that related to the currently affair will be found out during this analyse. On the second layer, the Forward Neural Network was used as a way of regression analysis, it analysed those historical affair which was found in the first layer and currently affair to get a final result of detection. For test this model, some simulation experiment has been designed. Firstly we tested the clustering ability to the network data packet of Cluster Arithmetic. Then we used some reallife data to test the whole ability of the model. It was indicated in the experiment that the Cluster Arithmetic can class the network data packets correctly and the whole model can identify the attack of password exhaustion to the server of FTP correctly. Butexperiment about other distributive intrusion affair is still need.更多还原