摘要
针对传统入侵检测系统报警事件数量多、误报率高的问题,提出了一种基于信息熵的网络攻击检测方法。该方法利用雷尼熵对报警事件源IP地址、目标IP地址、源威胁度、目标威胁度以及数据报大小这5个属性香农熵的融合结果来表示网络状态,通过与正常网络状态的对比识别网络异常。真实攻击和人工合成攻击环境中的实验结果表明,该方法能在保持误报率低于1%的情况下命中率高于90%;与基于特征香农熵的攻击检测方法相比,该方法对攻击更敏感,最易检测出DoS攻击和主机入侵,其次是主机扫描和端口扫描,对蠕虫攻击的检测敏感度稍差。对比测试结果表明,该方法在提高命中率的同时,还能有效降低误报率。
A method to detect network attacks using entropy is proposed to solve the problem that the existing intrusion detection system(IDS) typically generates large amounts of alerts with high false rate.Rainey cross entropy is employed to fuse the Shannon entropy vector for five properties of alerts.These five properties are source IP address,destination IP address,source threat,target threat and datagram length.Then the fusing result is used to describe the network state,and is compared with the normal network state to identify the anomalies.The experimental results on actual network attacks data and synthetic attacks show that the proposed approach can detect network attacks with a hit rate more than 90% whereas the false rate is less 1%.Comparisons with the attack detection method based on the characteristics of the Shannon entropy show that the proposed method is more sensitive to attacks,and is easier to detect in the order Denial of Service(DoS) and hosts intrude attacks,and then the hosts scan and port scan attacks,however,is relatively difficult to worm attacks.The test results also show that the proposed method is better than the compared systems with higher hit rate and lower false positives.
出处
《西安交通大学学报》
EI
CAS
CSCD
北大核心
2013年第2期14-19,46,共7页
Journal of Xi'an Jiaotong University
基金
国家自然科学基金资助项目(60970121)
关键词
网络攻击
入侵检测系统
香农熵
雷尼熵
network attack
intrusion detection system
Shannon entropy
Rainey entropy