期刊文献+

入侵检测系统利用信息熵检测网络攻击的方法 被引量:47

A Method to Detect Network Attacks Using Entropy in the Intrusion Detection System
下载PDF
导出
摘要 针对传统入侵检测系统报警事件数量多、误报率高的问题,提出了一种基于信息熵的网络攻击检测方法。该方法利用雷尼熵对报警事件源IP地址、目标IP地址、源威胁度、目标威胁度以及数据报大小这5个属性香农熵的融合结果来表示网络状态,通过与正常网络状态的对比识别网络异常。真实攻击和人工合成攻击环境中的实验结果表明,该方法能在保持误报率低于1%的情况下命中率高于90%;与基于特征香农熵的攻击检测方法相比,该方法对攻击更敏感,最易检测出DoS攻击和主机入侵,其次是主机扫描和端口扫描,对蠕虫攻击的检测敏感度稍差。对比测试结果表明,该方法在提高命中率的同时,还能有效降低误报率。 A method to detect network attacks using entropy is proposed to solve the problem that the existing intrusion detection system(IDS) typically generates large amounts of alerts with high false rate.Rainey cross entropy is employed to fuse the Shannon entropy vector for five properties of alerts.These five properties are source IP address,destination IP address,source threat,target threat and datagram length.Then the fusing result is used to describe the network state,and is compared with the normal network state to identify the anomalies.The experimental results on actual network attacks data and synthetic attacks show that the proposed approach can detect network attacks with a hit rate more than 90% whereas the false rate is less 1%.Comparisons with the attack detection method based on the characteristics of the Shannon entropy show that the proposed method is more sensitive to attacks,and is easier to detect in the order Denial of Service(DoS) and hosts intrude attacks,and then the hosts scan and port scan attacks,however,is relatively difficult to worm attacks.The test results also show that the proposed method is better than the compared systems with higher hit rate and lower false positives.
出处 《西安交通大学学报》 EI CAS CSCD 北大核心 2013年第2期14-19,46,共7页 Journal of Xi'an Jiaotong University
基金 国家自然科学基金资助项目(60970121)
关键词 网络攻击 入侵检测系统 香农熵 雷尼熵 network attack intrusion detection system Shannon entropy Rainey entropy
  • 相关文献

参考文献9

  • 1SCARFONE K,MELL P. Guide to intrusion detection and prevention systems[M].Gaithersburg,MD,USA:NIST Special Publication,2007.9.
  • 2TJHAI G,PAPADAKI M,FURNELL S. The problem of false alarms:evaluation with snort and DARPA 1999 dataset[A].Berlin:Springer-Verlag,2008.139-150.
  • 3ABIMBOLA A A,MUNOZ J M,BUCHANAN W J. Investigating false positive reduction in http via procedure analysis[A].Los Alamitos,CA,USA:IEEE Computer Society,2006.87-93.
  • 4TIAN Zhihong,ZHANG Weizhe,YE Jianwei. Reduction of false positives in intrusion detection via adaptive alert classifier[A].Piscataway,NJ USA:IEEE,2008.1599-1602.
  • 5ALSHAMMARI R,SONAMTHIANG S,TEIMOURI M. Using neuro-fuzzy approach to reduce false positive alerts[A].Los Alamitos,CA,USA:IEEE Computer Society,2007.345-349.
  • 6SPATHOULAS G P,KATSIKAS S K. Reducing false positives in intrusion detection systems[J].Computers and Security,2010,(01):35-44.
  • 7郭振滨,裘正定.应用于高速网络的基于报文采样和应用签名的BitTorrent流量识别算法[J].计算机研究与发展,2008,45(2):227-236. 被引量:5
  • 8牛国林,管晓宏,龙毅,秦涛.多源流量特征分析方法及其在异常检测中的应用[J].解放军理工大学学报(自然科学版),2009,10(4):350-355. 被引量:7
  • 9NYCHIS G,SEKAR V,ANDERSEN D G. An empirical evaluation of entropy-based traffic anomaly detection[A].New York,USA:ACM,2008.151-156.

二级参考文献45

  • 1LAKHINA A, CROVELLA M, DIOT C. Mining anomalies using traffic feature distributions[C]. New York : ACM ,Proceedings of ACM SIGCOMM, 2005.
  • 2NYCHIS G. An empirical evaluation of entropy-based anomaly detection[D]. Pittsburgh: Carnegie Mellon University Thesis, 2007.
  • 3Cisco Systems. NetFlow services solutions guide[-EB/ OL ]. http :///www. ciseo, eom/en/US/products/sw/ netmgtsw/ps 1964/produetsfmplementation.design_ guide09186a00800d6a11, html. 2008.
  • 4XU K, ZHANG Z, BHATTACHARYYA S. Profiling internet backbone traffic: behavior models and applications[J]. ACM SIGCOMM Computer Communication Review, 2005, 35(4) : 169-180.
  • 5BRAUCKHOFF D, TELLENBACH B, WAGNER A, et al. Impact of Traffic sampling on anomaly detetion metrics[C]. Rio de Janeriro,Brazil:Proceedings of The 6th ACM SIGCOMM Conference on Internet Measurement, 2006.
  • 6KARAMCHETI V, GEIGER D, KEDEM Z, et al. Detecting malicious network traffic using inverse distributions of packet contents [C ]. Phildelphia, Pennsylvania: ACM, Proceedings of the 2005 ACM S/GCOMM Workshop on Mining Network Data, 2005.
  • 7LAKHINA A, CROVELLA M, DIOT P. Diagnosing network-wide traffic anomalies[J]. ACM SIGCOMM Computer Communication Review, 2004, 34(4): 219- 230.
  • 8SHANNON C E. A mathematical theory of communication [J]. Bell System Technical Journal, 1948, 8 (27) : 379-423.
  • 9EDWARD F H. Measuring network change: renyi cross entropy and the second order degree distribution [C]. Heidelberg:LNCS,In Proceedings of Passive and Active Measurement Conference 2006, 2006.
  • 10RENYI A. Probability theory [M]. Amsterdam North-Holland, 1970.

共引文献10

同被引文献272

引证文献47

二级引证文献142

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部