摘要
为了全面检测黑客入侵和有效提高检测精度,提出了一种深度防卫的自适应入侵检测系统模型.该模型按照黑客入侵对系统影响的一般顺序,使用不同方法对网络行为、用户行为和系统行为3个层次涉及到的网络数据包、键盘输入、命令序列、审计日志、文件系统和系统调用进行异常检测,并利用信息融合技术来融合不同检测器的检测结果,从而得到合理的入侵判定.在此基础上,提出了系统安全风险评估方法,并由此制定了一种简单、高效的自适应入侵检测策略.初步实验结果表明,所提的深度防卫自适应入侵检测模型能够全面、有效地检测系统的异常行为,可以自适应地动态调整系统安全与系统性能之间的平衡,具有检测精度高、系统资源消耗小的优点.
Aiming at detecting intrusions across-the-board and at improving detection accuracy, a novel model of defense-in-depth adaptive intrusion detection system (IDS) was presented. In this model, the behaviors in a computer system are monitored according to the general order of the impact of the attacks and divided into three layers including network behaviors, user behaviors and system behaviors. Various methods are then applied to process the data streams from network packages, keystrokes, audit trails, command sequences, file system and system calls obtained in the three layers for intrusion detection. The monitoring decision on intrusion is made by combining the six individual inferences based on information fusion technique. Based on the risk assessment method proposed in this paper, an efficient adaptive policy is drawn as well for IDS to reduce the expense of system resources. The model is tested and the results show that the model presented is effective to detect intrusions and to balance the system security and performance adaptively and dynamically. The model is promising as well in terms of detection accuracy, system resource requirement and implementation in practice.
出处
《西安交通大学学报》
EI
CAS
CSCD
北大核心
2005年第4期339-342,346,共5页
Journal of Xi'an Jiaotong University
基金
国家杰出青年科学基金资助项目(6970025)
国家自然科学基金资助项目(60243001)
国家高技术研究发展计划资助项目(2001AA140213
2003AA142060).
关键词
入侵检测
深度防卫
网络安全
信息融合
Adaptive control systems
Data flow analysis
Risk assessment
Sensor data fusion
Signal detection
