CN102082700B - Detection method of network intrusion - Google Patents
Detection method of network intrusion Download PDFInfo
- Publication number
- CN102082700B CN102082700B CN 200910199626 CN200910199626A CN102082700B CN 102082700 B CN102082700 B CN 102082700B CN 200910199626 CN200910199626 CN 200910199626 CN 200910199626 A CN200910199626 A CN 200910199626A CN 102082700 B CN102082700 B CN 102082700B
- Authority
- CN
- China
- Prior art keywords
- pattern
- detection method
- vector
- antibody
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a detection method of network intrusion, comprising the following steps: building a system model, wherein the system model comprises a phenotypic mode and a genotypic mode; mapping the phenotypic mode in the model into the genotypic mode; providing intruded detection and detected modes, and expressing the modes as vectors; and detecting the network intrusion in accordance with an expressed vector structure design algorithm. The detection method has the advantages that a binary bit is converted into a corresponding fuzzy set, thus greatly shortening the length of an antibody; and colonal selection is combined with negative selection, thus the time and space overheads are reduced and the detection efficiency of the intrusion is improved when the antibody is subjected to the negative selection.
Description
[technical field]
The present invention relates to field of computer technology, relate in particular to a kind of detection method of network intrusions.
[background technology]
At present existing many Network Intrusion Detection System are developed, but most of method that adopts KBE.Detection technique commonly used comprises:
(1) expert system: the characteristic behavior that adopts a series of detection rule analysis invasion.So-called rule namely is knowledge, and different systems has different rules from arranging, and between the rule often without versatility.The foundation of expert system depends on the completeness of knowledge base, and the completeness of knowledge base depends on again completeness and the real-time of record of the audit.Feature extraction and the expression of invasion are the keys of intrusion detection expert system.In system realizes, be if-then structure (also can be composite construction) with the knowledge transformation of relevant invasion, condition part is to invade feature, then partly is system's precautionary measures.Use expert system to take precautions against the completeness that the validity that the feature intrusion behavior is arranged depends on expert system knowledge base fully.
(2) based on the intrusion detection method of model: the invader often adopts certain behavior sequence when attacking a system, such as the behavior sequence of conjecture password.This behavior sequence has consisted of the model with certain behavioural characteristic, according to the behavioural characteristic of the attack intension of this model representative, can detect in real time the attack attempt of malice.Intrusion detection method based on model can only be monitored some main audit events.After these events occur, begin again to record detailed audit, process load thereby reduce audit event.The another one characteristics of this detection method are to detect combination attacks (coordinate attack) and multilayer attack (multi-stage attack).
(3) simple mode coupling (Pattern Matching): the intrusion detection method of Schema-based coupling becomes the pattern that is consistent with record of the audit with known invasion feature coding.When new audit event produces, this method will be sought the known intrusion model that is complementary with it.
(4) soft computational methods: soft computational methods have comprised neural net, genetic algorithm and fuzzy technology.
The shortcoming of above-mentioned the whole bag of tricks of the prior art is that generally the flexibility of system and accuracy are inadequate, can not effectively identify novel attack, and adaptive ability is not enough.
[summary of the invention]
Technical problem to be solved by this invention is, a kind of detection method of network intrusions is provided, and reduces intrusion detection and gets expense, improves the efficient of intruding detection system.
In order to address the above problem, the invention provides a kind of detection method of network intrusions, comprise the steps: the constructing system model, comprise phenotype pattern and genotype pattern in the described system model; Phenotype mode map in the model is become the genotype pattern; Detection and the detected pattern of invasion are provided, and are expressed as vector, according to represented vector structure algorithm for design, invade with Sampling network.
As optional technical scheme, the genotype pattern of described system adopts multistage pattern, and described multistage pattern is quadravalence.
As optional technical scheme, turn to interval value with the Numeric Attributes in the genotype pattern is discrete, so that the comparison between pattern.
As optional technical scheme, described vector is the octuple vector, is divided into COS, source address, source port, destination address, time delay, source transmission byte number, destination transmission byte number and state eight parts.
The invention has the advantages that, binary digit is converted into the length that corresponding fuzzy set has shortened antibody greatly, Immune Clone Selection and Negative Selection are combined, the space-time expense reduces when making antibody carry out Negative Selection, has improved the efficient of intrusion detection.
[description of drawings]
The conceptual level that shown in the accompanying drawing 1 is the intrusion detection model based on immunity principle of the present invention is described schematic diagram;
It is the binary form representation model schematic diagram of antibody of the present invention shown in the accompanying drawing 2.
[embodiment]
Elaborate below in conjunction with the detection method embodiment of accompanying drawing to a kind of network intrusions provided by the invention.
The described method of this embodiment comprises the steps: step S10, and the constructing system model comprises phenotype pattern and genotype pattern in the described system model; Step S11 becomes the genotype pattern with the phenotype mode map in the model; Step S12 provides detection and the detected pattern of invasion, and is expressed as vector, according to represented vector structure algorithm for design, invades with Sampling network.
Refer step S10, the constructing system model comprises phenotype pattern and genotype pattern in the described system model.
Simulation on the function but not the realization of all parts to the application of artificial immunity principle.In organism, antibody is to rely on the epitope of the acceptor on antibody surface and specific antigen to ask " combination " of valence bond to the identification of antigenic substance, and the detection in the safety system refers to the coupling between detecting pattern and detected pattern.The concept of artificial immunity is introduced on our basis when the original intruding detection system model of setting up, and has made up a more accurately rational model.Model generalization is considered accuracy and efficient, and the conceptual level of model is described the content that please refer in the accompanying drawing 1.
Immune Clone Selection and Negative Selection are two significant process in antibody generation and the evolutionary process, also are two fairly perfect in modern immunology theories.Clonal selective theory thinks that just there is the cell clone that can identify various antigens in advance in body immune system, there is the acceptor for different specific antigens on each clone cell surface, synantigen is not selected the receptors bind adapt with it, thereby stimulate the Proliferation, Differentiation of this cell clone, produce immune response and generate multifarious various antibody.This theory has illustrated the mechanism that antibody forms, and has explained the reason that immune system forms the identification of antigen, immunological memory etc.The produce and evolution that antibody is described carries out towards the direction that approaches existing antigen.Utilize this principle can the yojan intrusion detection in the intrusion behavior rule set, the structure that makes detector is not carrying out blindly.The Negative Selection theory thinks and produces in a large number first at random antibody in the body, wherein will be eliminated (otherwise will cause the autoimmune function disease) to what " oneself " antigenic substance produced destruction, and remaining antibody can detect all exotic antigen materials.In our system, use stage by stage two processes: excavate abnormal patterns according to keeping data, and replenish it based on experience, with these patterns as parent antigen, utilize genetic operator that they are made a variation after encoded and breed, generate large candidate's antibody library, will carry out fitness to each individuality wherein measures, calculate the similarity with existing antigen, do like this is because all newly-generated individualities of hypothesis are all to have abnormal patterns now as the basis, but not a kind of pattern that can not exist, do like this and be conducive to ensure detection efficiency, conserve storage; Carry out again Negative Selection, the deletion wherein from bulk-mode.Generate at last more complete dissident's pattern base.
The present invention utilizes data digging method to excavate use pattern in the training data, sets up " from the bulk-mode collection " and " dissident's set of patterns ".These patterns are the descriptions to 8 attributes, and namely COS (service), source address (src__host), source port (src__port), destination address (dst__host), time delay (dur), source send byte number (src__bytes), destination sends byte number (dst__bytes) and state (flag).
For convenience of description and understand, the below provides some definition relevant with Frequent Sequential Patterns.
Define 1 single order pattern (single order chromosome): the frequent mode that comprises an Item Sets.
Project in the pattern (attribute) comes from a net connection, such as (service=http, flag=SO) or (service=icmp__echo, flag=SF, src__host=host2, dst__host=host1). we arrange, attribute in the single order pattern is arranged by its significance level, i.e. service, flag, src__host, src__port, dst__host, dur, src__bytes, the attributes such as dst__bytes are when determining a connection, importance reduces successively.
Define 2 complete single order patterns: comprised all properties value in the pattern and described, namely comprised complete Item Sets.
Be zero can change non-integrated pattern into integrated pattern by lacking the attribute value complement.
Define 3 multistage patterns (multistage chromosome): the Frequent Sequential Patterns that has comprised a plurality of Item Sets.
Item Sets in the pattern comes from a plurality of connections, and these Item Sets have been described a kind of frequently sequence of operation, such as (service=http, flag=SO) → (service=http, flag=SO) → (service=http, flag=SO).
Define 4 genes: each attribute in the pattern.
Define 5 gene strands: the value tissue of each attribute in the system is become a chained list, the value condition of this attribute of mark, chain table entry item is expressed as Glist (number, attribute value).
That is to say, have 8 gene strands in the system, all values of 8 kinds of attributes that difference is corresponding.These 8 gene strands have formed a gene pool, produce along with the operation of system has new property value, need to upgrade gene pool.
The multistage pattern of the quadravalence that this embodiment adopts.Experiment shows that significant multistage pattern mainly concentrates on three rank, and second order and the quadravalence pattern of part arranged.The single order frequent mode is left in the basket owing to not having statistical significance.We will process for quadravalence above the pattern intercepting of quadravalence in the cataloged procedure.Namely if any pattern X1 → X2 → X3 → X4 → X5 ..., then be converted into X1 → X2 → X3 → X4.Experimental results show that this intercepting does not affect the testing result of system.
Refer step S11 becomes the genotype pattern with the phenotype mode map in the model.
The key of this step is coding.The pattern of using in the system has " phenotype " and " genotype ", the former refer to readable, by the rule that connects record and directly obtain, a kind of inner form of expression that the latter uses when referring to " antibody evolution, Negative Selection and Immune Clone Selection ". finish because computing must apply structural rearrangement, select and quantize to calculate to the individuality that has certain version in the colony, therefore need a kind of direct digitized representations form.Phenotype is mapped to genotypic process is called coding.
For the ease of comparing between pattern, we are with the discrete interval value that turns to of Numeric Attributes. and attribute dur (time delay) is respectively according to discrete weak point, general, the length, very long of turning to of its length; In like manner, with the source and destination end send byte be divided into less, generally, many and a lot. we can be converted into the fuzzy set form with taking three attributes of the more dur of byte number (time delay) and source and destination end transmission byte in the network intrusions like this, only can show with two binary systems respectively, greatly shorten the length of our binary representation antibody.The binary system gene position is converted into corresponding fuzzy set, as shown in the table:
| Parameter gene | Fuzzy set |
| 00 | LOW |
| 01 | NORMAL |
| 10 | HIGH |
| 11 | HIGHER |
Antibody can be converted into new binary form with reference to above-mentioned tabulation and represent that the antibody after the conversion represents that model sees also the content shown in the accompanying drawing 2.
Step S12 provides detection and the detected pattern of invasion, and is expressed as vector, according to represented vector structure algorithm for design, invades with Sampling network
This embodiment is the detection of each invasion and detected modal representation an octuple vector, be divided into COS (service), source address (src__host), source port (src__port), destination address (dst__host), time delay (dur), source sends byte number (src__bytes), destination sends byte number (dst__bytes), state (flag) eight parts
Vector=<service,flag,src__host,src__port,dst__host,dur,src__bytes,dst__bytes>
Be convenient following algorithm design, this embodiment provides first more immune initial settings:
BC-is initially empty B cell and integrates // B cell that bc concentrates as the B cell, representative " non-own " information, be network attack information, mainly by COS (service), source address (src__host), source port (src__port), destination address (dst__host), time delay (dur), source sends byte number (src__bytes), destination sends byte number (dst__bytes), and state (flag) forms; B emiocytosis antibody
MC-is initially empty memory B cell and integrates // memory cell that mc concentrates as memory B cell, " non-own " information that representative is confirmed by the user, mainly by COS (service), source address (src__host), source port (src__port), destination address (dst__host) forms
R-antibody binary representation
The initial memory cell number of Kt-
Ka-affinity threshold values
ε-matching threshold
Kl-clones constant
The Km-constant that makes a variation
Ag-antigen; " from the body " that representative of consumer is faced and " non-from body " information
Certainly, in other execution mode, according to the needs of actual conditions, also can adopt vector and the initial setting rule of other type.
The below provides a kind of optional algorithm design:
Procedure Train(training set)
{
Foreach(te∈TE)
Add title words and key words to appropriate library
Remove Kt random elements from TE and insert into MC
Foreach(mc∈MC)
If(affinity(mc,te)>Ka)
Clones ← clone_mutate (mc, te) // clonal vaviation generates new antibodies
Foreach(clo∈clones)
If(affinity(clo,te)>=affinity(mc,te))
BC←BC∪{clo}
Negachoose (BC) // Negative Selection Algorithm
}
Negative Selection Algorithm:
Negative immune algorithm is the simulation to the maturation of immunocyte, the ripe immunocyte of detector simulation of experience tolerance.
Procedure Negachoose(BC)
{
From BC, generate at random a large amount of candidate detector bc (being immunocyte); // initialization
One of while also is not produced do//tolerance for the detectors set of sizing
Foreach(self)
If (affinity (self, bc)>ε) // selection
Then Remove bc from BC
}
Clonal selection algorithm:
Network intrusions is attacked and can be changed, sometimes the user to whether invade attack smudgy, or be difficult to select accurately keyword, so that the information of submitting to is not necessarily accurate, the algorithm that the invention provides Immune Clone Selection to feed back in conjunction with a plurality of users' information, carries out cross and variation and can generate new antibody.
Procedure clone_mutate(bc1,bc2)
{
aff←affinity(bc1,bc2)
clones←Φ
The larger clone's of // affinity number is just more, corresponding variation just fewer; Otherwise then few variation of clone is many;
num_clones←aff*kl
num_mutate←(1-aff)*bc’s feature vector length*km
For(I=1;I<=num_clones;I++)
bcx←a copy of bc1
For(j=1;j<=num_mutate;j++)
// the at random keyword among the clone is replaced;
p←a random point in bcx’s feature vector
w←a random word from the appropriate gene library
replace word in bcx’s feature vector at location p with w
clones←clones∪{bcx}
return clones
}
For user's feedback, promote to rule the boosting algorithm of rule:
User feedback outside intrasystem regular clonal vaviation and the system determines the variation of rule jointly.
Procedure Update(ag)
{
Foreach(bc∈BC)
If(affinity(ag,bc)>Ka)
Increment bc’s stimulation count
// find out the antibody the highest with this antigen affinity, if the affinity of this antibody and antigen is higher than the affinity of memory cell and antigen, then when promoting rule, upgrade memory cell
Bc_best←element of BC with highest affinity to ag
B cell clone variation in the // system
BC←BC Uclone_mutate(bc_best,ag)
Bc_best←element of BC with highest affinity to ag
Mc_best←element of MC with highest affinity to ag
If(affinity(bc_best,ag)>affinity(mc_best,ag))
BC←BC∪{bc_best}
MC←MC∪{mc_best}∪{bc_best}
Foreach(mc∈MC)
If(affinity(bc_best,mc)>Ka)
Decrement mc stimulation count and add words from ag’s feature vector togene libraries
}
Wherein, affine calculation of force is undertaken by following formula:
Code represents the binary coding of pattern to be measured in Affinity (i, j)=code (i)-code (j) formula.
Described such as above-mentioned embodiment, binary digit is converted into the length that corresponding fuzzy set has shortened antibody greatly, Immune Clone Selection and Negative Selection are combined, the space-time expense reduces when making antibody carry out Negative Selection, has improved the efficient of intrusion detection.
The above only is preferred implementation of the present invention; should be pointed out that for those skilled in the art, under the prerequisite that does not break away from the principle of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.
Claims (4)
1. the detection method of a network intrusions is characterized in that, comprises the steps:
The constructing system model comprises phenotype pattern and genotype pattern in the described system model;
Phenotype mode map in the model is become the genotype pattern, with the discrete interval value that turns to of the Numeric Attributes in the genotype pattern, so that the comparison between pattern, be converted into the fuzzy set form with taking three attributes of the more time delay of byte number and source and destination end transmission byte in the network intrusions, use respectively two binary representations;
Detection and the detected pattern of invasion are provided, and are expressed as vector, according to represented vector structure algorithm for design, invade with Sampling network.
2. the detection method of network intrusions according to claim 1 is characterized in that, the genotype pattern of described system adopts multistage pattern.
3. the detection method of network intrusions according to claim 2 is characterized in that, described multistage pattern is quadravalence.
4. the detection method of network intrusions according to claim 1, it is characterized in that, described vector is the octuple vector, is divided into COS, source address, source port, destination address, time delay, source transmission byte number, destination transmission byte number and state eight parts.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910199626 CN102082700B (en) | 2009-11-27 | 2009-11-27 | Detection method of network intrusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910199626 CN102082700B (en) | 2009-11-27 | 2009-11-27 | Detection method of network intrusion |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102082700A CN102082700A (en) | 2011-06-01 |
| CN102082700B true CN102082700B (en) | 2013-10-30 |
Family
ID=44088456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910199626 Expired - Fee Related CN102082700B (en) | 2009-11-27 | 2009-11-27 | Detection method of network intrusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102082700B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102664817A (en) * | 2012-02-17 | 2012-09-12 | 上海电机学院 | Method and system for filtering spam |
| CN103034550A (en) * | 2012-12-07 | 2013-04-10 | 上海电机学院 | Virtual-real interaction collision detection system and method based on artificial immune system |
| CN103036745A (en) * | 2012-12-21 | 2013-04-10 | 北京邮电大学 | Anomaly detection system based on neural network in cloud computing |
| CN110995722B (en) * | 2019-12-10 | 2020-09-29 | 深圳大学 | Method and device for acquiring optimal characteristic subset of flow data based on immune strategy |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060218108A1 (en) * | 2005-03-24 | 2006-09-28 | Sergey Panfilov | System for soft computing simulation |
-
2009
- 2009-11-27 CN CN 200910199626 patent/CN102082700B/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101299691A (en) * | 2008-06-13 | 2008-11-05 | 南京邮电大学 | Method for detecting dynamic gridding instruction based on artificial immunity |
Non-Patent Citations (3)
| Title |
|---|
| 改进的SVM在入侵检测中的应用;通舜海;《计算机工程与应用》;20081231(第44期);第113-115页 * |
| 赵孟德.基于免疫学架构的文本信息检索模型.《华东理工大学学报(自然科学版)》.2007,第33卷第132-136页. * |
| 通舜海.改进的SVM在入侵检测中的应用.《计算机工程与应用》.2008,(第44期),第113-115页. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102082700A (en) | 2011-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111460472B (en) | Encryption algorithm identification method based on deep learning graph network | |
| CN111639497A (en) | Abnormal behavior discovery method based on big data machine learning | |
| CN109309675A (en) | A kind of network inbreak detection method based on convolutional neural networks | |
| CN105262715B (en) | A kind of abnormal user detection method based on fuzzy time series association mode | |
| CN111726349B (en) | GRU parallel network flow abnormity detection method based on GA optimization | |
| CN102082700B (en) | Detection method of network intrusion | |
| CN111400713B (en) | Malicious software population classification method based on operation code adjacency graph characteristics | |
| CN116502091A (en) | Network intrusion detection method based on LSTM and attention mechanism | |
| CN110688150A (en) | Binary file code search detection method and system based on tensor operation | |
| CN116910753A (en) | Malicious software detection and model construction method, device, equipment and medium | |
| CN111737694A (en) | Behavior tree-based malicious software homology analysis method | |
| WO2023224707A1 (en) | Anomaly score normalisation based on extreme value theory | |
| Wang et al. | A Novel Multi‐Input AlexNet Prediction Model for Oil and Gas Production | |
| De Falco et al. | An innovative approach to genetic programming—based clustering | |
| Bharadwaj et al. | Evolutionary approach for automated discovery of censored production rules | |
| Wang et al. | Application of clonal selection algorithm in construction site utilization planning optimization | |
| CN110598408B (en) | App clone detection method and system based on function layer coding | |
| Elbatta et al. | A vibration method for discovering density varied clusters | |
| Crossingham et al. | Using genetic algorithms to optimise rough set partition sizes for HIV data analysis | |
| Nickerson et al. | Measuring evolvability and accessibility using the hyperlink-induced topic search algorithm | |
| Shimada et al. | A method of association rule analysis for incomplete database using genetic network programming | |
| CN114780103A (en) | Semantic code clone detection method based on graph matching network | |
| Maddouri et al. | Encoding of primary structures of biological macromolecules within a data mining perspective | |
| Zhu et al. | Efficient Gaussian Kernel Microcluster Real-Time Clustering Method for Industrial Internet of Things (IIoT) Streams | |
| Xiao-Pei et al. | A new immunity intrusion detection model based on genetic algorithm and vaccine mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131030 Termination date: 20161127 |