【作者】 商志会；

【导师】 陶树平；

【作者基本信息】 同济大学 ， 计算机应用技术， 2006， 硕士

【摘要】 随着网络和其它信息技术的广泛应用,网络系统的安全变得至关重要。入侵检测系统是保护网络系统安全的关键技术和重要手段,但现行的入侵检测不仅对新的攻击或特征未知的入侵无能为力,而且检测的准确性与实时性均达不到实际应用的需求。关联规则挖掘是数据挖掘研究中一个重要的研究内容,可以从海量数据中发现正常和异常的行为模式,将其用于入侵检测不仅可以有效地检测已知入侵,而且还具有检测未知攻击模式的能力,因此,研究关联规则的高效挖掘算法对于提高入侵检测的准确性和时效性具有非常重要的意义。本文对关联规则数据挖掘技术及其在入侵检测中的应用进行了系统、深入地学习和分析研究,主要包括以下内容: 在分析Apriori算法及其改进算法的基础上,针对其存在的问题提出了一种自适应步长跃进的改进Apriori算法(XARM)。该算法的特点在于引入自适应步长、基于连接的支持度统计与动态剪枝的概念,从而大大减少了对数据库的扫描次数,解决了频繁项长度增加时运算时间显著增加的问题,提高了算法的效率。仿真结果表明,XARM算法比Apriori算法有比较明显的优势,可以广泛应用于大规模数据库的关联规则数据挖掘中。 通过对挖掘关联规则增量更新中FUP算法的关键思想以及性能进行了研究,提出了改进的FUP算法SFUP。该算法充分利用原有挖掘结果中候选频繁项集的支持数,能有效减少对数据库的重复扫描次数,并通过实验对这两种算法进行比较,结果充分说明了SFUP算法的效率要明显优于FUP算法。 针对现行的入侵检测方法建立的正常模式和异常模式不够准确、完善,容易造成误警或漏警的问题,本文将改进后的关联规则挖掘算法—XARM和关联规则增量更新算法—SFUP应用于网络入侵检测,提出了新的入侵检测方法,该方法通过挖掘训练审计数据中的频繁项集建立系统和用户的正常行为模型以及入侵行为模型,然后通过对实时网络数据进行增量挖掘来获取实时网络行为模式,通过与模式库的匹配达到检测入侵的目的。实验结果表明,该方法具有较高的检测精度和时效性。更多还原

【Abstract】 With the development of network and other information technology, security is the most critical problem to network system. Thus, Intrusion Detection System (IDS) becomes key way and technology of protecting network system. Current IDS neither detects new or unknown attacks, nor accuracy and response can reach requirement of application. Association rule mining is a fundamental and important problem in data mining, which not only detects normal behavior but also abnormal behavior. So, applying frequent pattern to IDS can detect both known and unknown intrusion. Thus, the research of efficient association rules mining algorithm has more important value for improving accuracy and efficiency of IDS.This thesis studies and anaiyses the association rules mining technique and application in IDS systematically and deeply. The main contents are listed as folfows:A fast algorithm XARM is developed for data mining association rules in large database. Based on the traditional Apriori and other optimal algorithms, the concept of self-adapted step and scanning tree is introduced. The dynamical pruning method and support statistic based on join step are adopted to improve Apriori algorithm. The theoretical analysis and experiment result s indicate that this algorithm is of higher application efficiency than Apriori algorithm, and that its effetiveness is also proved.An improved incremental updating algorithm SFUP is developed based on study of the principle and efficiency of FUP algorithm. The algorithm makes full use of the old data mining results and reduces the times of scanning the database greatly, thus the data mining efficiency increases. Some experiments show that SFUP is better than FUP at many aspects.Because user behavior features extracted by current IDS cannot reflect real circumstances, normal and abnormal model are not accurate. The paper presents an intrusion detection method based on a fast mining algorithm XARM and an incremental updating algorithm SFUP. At first, the method constructs user normal model and abnormal model by mining training data sets. Then, Attain real timebehavior model by incremental updating the real Internet data. Finish intrusion detection by maching the model database. The method can distinct normal and abnormal behavior rapidly, which timely update and improve model of IDS. So, the accuracy and reliability of IDS can be enhanced greatly. Experimental results show that the method is efficient and accurate.更多还原