CN113726810A - Intrusion detection system - Google Patents
Intrusion detection system Download PDFInfo
- Publication number
- CN113726810A CN113726810A CN202111044147.7A CN202111044147A CN113726810A CN 113726810 A CN113726810 A CN 113726810A CN 202111044147 A CN202111044147 A CN 202111044147A CN 113726810 A CN113726810 A CN 113726810A
- Authority
- CN
- China
- Prior art keywords
- event
- module
- events
- classifier
- sending
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 47
- 230000004044 response Effects 0.000 claims abstract description 25
- 238000012549 training Methods 0.000 claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 17
- 230000006399 behavior Effects 0.000 claims abstract description 11
- 238000004422 calculation algorithm Methods 0.000 claims description 24
- 238000007781 pre-processing Methods 0.000 claims description 12
- 238000003066 decision tree Methods 0.000 claims description 9
- 230000009471 action Effects 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 10
- 238000012545 processing Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 238000004458 analytical method Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000010606 normalization Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000007635 classification algorithm Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- 241000288113 Gallirallus australis Species 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000002474 experimental method Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Evolutionary Computation (AREA)
- Evolutionary Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Alarm Systems (AREA)
Abstract
The present application relates to an intrusion detection system. According to the method and the device, the events can be classified through the pre-constructed event analyzer, the pre-constructed event analyzer is obtained by training according to the historical event record, the events can be automatically identified as normal events or intrusion events according to the event characteristics, and the identification real-time performance and accuracy of the intrusion detection system are improved. The system comprises an event generator, a pre-constructed event analyzer and a responder: the event generator is used for monitoring and acquiring events in a target monitoring environment; sending the event to a pre-constructed event analyzer; the pre-constructed event analyzer is used for detecting and classifying events to obtain event types of the events; sending the event to a responder; and the responder is used for making corresponding response behaviors aiming at the events according to the event types.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an intrusion detection system.
Background
With the deep development of information technology, all industries can not leave the internet, and the network security problem is more and more emphasized.
In the field of network security, Intrusion Detection Systems (IDS) are used more often. Intrusion detection systems are network security devices that monitor network transmissions in real time, raise alarms when suspicious transmissions are found, or take proactive measures (e.g., deny access).
The intrusion detection system can only identify intrusion behaviors, and cannot prevent the intrusion behaviors, so that the intrusion detection system is required to have higher real-time performance and accuracy so as to prevent an attacker from attacking the network system due to the fact that the network intrusion is not identified in time. However, the currently used intrusion detection system has insufficient detection speed for network attacks and insufficient real-time performance and accuracy.
Disclosure of Invention
In view of the above, it is necessary to provide an intrusion detection system in order to solve the above technical problems.
An intrusion detection system, the system comprising an event generator, a pre-constructed event analyzer and a responder; wherein,
the event generator is used for monitoring and acquiring events in a target monitoring environment and sending the events to a pre-constructed event analyzer;
the pre-constructed event analyzer is used for detecting and classifying the events to obtain the event types of the events and sending the events to the responder;
and the responder is used for making corresponding response behaviors aiming at the events according to the event types.
In one embodiment, the system further comprises a training module; the training module is used for acquiring a historical event set in the target monitoring environment, and training an event analyzer by using the historical event set to obtain the pre-constructed event analyzer; wherein event types of historical events in the set of historical events are known.
In one embodiment, the event analyzer comprises a data preprocessing module, a judging module and a classifier; wherein,
the data preprocessing module is used for acquiring the characteristic value of the event, discretizing and normalizing the characteristic value of the event to obtain a standard characteristic value, and sending the standard characteristic value to the judging module;
the judging module is used for judging whether the total number of the standard characteristic values is smaller than a preset threshold value or not; if yes, sending the event to the classifier;
and the classifier is used for classifying the event according to the standard characteristic value to obtain the event type of the event. In one embodiment, the event analyzer further comprises a feature selection module;
the judging module is used for judging whether the total number of the standard characteristic values is smaller than a preset threshold value or not; if not, sending the event to the feature selection module;
the characteristic selection module is used for selecting characteristics according to the standard characteristic values of the events to obtain a characteristic value subset meeting preset conditions; and sending the characteristic value subset to the classifier so that the classifier classifies the event according to the characteristic value subset to obtain the event type of the event.
In one embodiment, the responder comprises a logging module; the log recording module is connected with the classifier;
and the log recording module is used for receiving the events and the corresponding event types from the classifier and storing the events and the corresponding event types.
In one embodiment, the responder further comprises an alarm module and a response module; the alarm module is connected with the classifier;
the classifier is used for sending the intrusion event to the alarm module when the event type of the event is judged to be the intrusion event;
the alarm module is used for sending alarm information to the management port; and sending the intrusion event to a response module to instruct the response module to make a corresponding response action.
In one embodiment, the classifier is constructed based on the ID3 decision tree algorithm.
In one embodiment, the feature selection module is constructed using an information gain based algorithm.
In one embodiment, the information gain based algorithm comprises a C4.5 algorithm.
In one embodiment, the system further comprises an event database:
the event database is used for storing the event, the event type of the event and the alarm information.
The intrusion detection system comprises an event generator, a pre-constructed event analyzer and a responder: the event generator is used for monitoring and acquiring events in a target monitoring environment; sending the event to a pre-constructed event analyzer; the pre-constructed event analyzer is used for detecting and classifying events to obtain event types of the events; sending the event to a responder; and the responder is used for making corresponding response behaviors aiming at the events according to the event types. The system classifies events through a pre-constructed event analyzer, the pre-constructed event analyzer is obtained by training according to historical event records, the event can be automatically identified as a normal event or an intrusion event according to event characteristics, and the identification real-time performance and accuracy of the intrusion detection system are improved.
Drawings
FIG. 1 is a diagram of an environment in which an intrusion detection system may be used in one embodiment;
FIG. 2 is a block diagram of a model architecture of an intrusion detection system in one embodiment;
FIG. 3 is a flow diagram of an intrusion detection system in one embodiment;
FIG. 4 is a diagram illustrating an internal structure of a computer device according to an embodiment;
fig. 5 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The intrusion detection system provided by the present application may be a lightweight intrusion detection system, which may be applied in the application environment as shown in fig. 1. The IDS system can be regarded as a monitoring system of the intranet, and the IDS server in the IDS system can be implemented by an independent server or a server cluster composed of a plurality of servers.
In one embodiment, as shown in FIG. 2, FIG. 2 illustrates a model architecture diagram of an intrusion detection system, including an event generator, a pre-constructed event analyzer, and a responder; the event generator is used for monitoring and acquiring events in a target monitoring environment; sending the event to a pre-constructed event analyzer; the pre-constructed event analyzer is used for detecting and classifying events to obtain event types of the events; sending the event to a responder; and the responder is used for making corresponding response behaviors aiming at the events according to the event types.
The target monitoring environment refers to an internal local area network with a light-weight intrusion detection system deployed.
Specifically, the event generator is configured to capture network traffic from each network node (including a user host, a server, a database, and the like) in the internal local area network, and analyze an obtained traffic data packet to obtain each event, where the events include, but are not limited to, an access request, an authorization request, information transmission and acquisition, and the like. In some cases, the event generator may also itself simulate generating events. The event generator sends the captured or generated event to a pre-constructed event analyzer.
The pre-constructed event analyzer classifies the events and can detect whether the event type of the event is a normal event or an intrusion event; and sends the event and its detection result to the responder.
The responder carries out corresponding processing on the event according to the detection result, namely the event type. For example, if the event is a normal event, only the normal event is written into the log record and is stored in the event database; if the event is an intrusion event, refusing the intrusion event to enter an intranet, and sending an alarm to related processing personnel; and simultaneously, recording the intrusion event, and storing the intrusion event in an event database for subsequent analysis.
Optionally, the lightweight intrusion detection system may further include an event database for storing the events, event types of the events, other alarm information, corresponding processing behaviors, and the like.
The foregoing embodiments provide a lightweight intrusion detection system, including an event generator, a pre-constructed event analyzer, and a responder: the event generator is used for monitoring and acquiring events in a target monitoring environment; sending the event to a pre-constructed event analyzer; the pre-constructed event analyzer is used for detecting and classifying events to obtain event types of the events; sending the event to a responder; and the responder is used for making corresponding response behaviors aiming at the events according to the event types. The system classifies events through a pre-constructed event analyzer, the pre-constructed event analyzer is obtained by training according to historical event records, the event can be automatically identified as a normal event or an intrusion event according to event characteristics, and the identification real-time performance and accuracy of the intrusion detection system are improved.
In an embodiment, the system further includes a training module, configured to obtain a historical event set in the target monitoring environment; wherein event types of historical events in the historical event set are known; and training an event analyzer by using the historical event set to obtain the pre-constructed event analyzer.
Specifically, a historical time set for the intranet is obtained from an event database, and the event types of the historical events are known and can be divided into normal events and intrusion events. And training an event analyzer by using the historical event set of the known event types to obtain a trained event analyzer, namely the pre-constructed event analyzer.
In the above embodiment, the trained event analyzer is obtained by using the training module, so as to provide necessary preconditions for subsequent event detection and classification.
In one embodiment, as shown in fig. 3, the event analyzer includes a data preprocessing module, a judging module, a feature selecting module and a classifier; the data preprocessing module is used for acquiring a characteristic value of an event; discretizing and normalizing the characteristic value of the event to obtain a standard characteristic value; sending the standard characteristic value to a judging module; the judging module is used for judging whether the total number of the standard characteristic values is smaller than a preset threshold value or not; if yes, sending the event to a classifier; and the classifier is used for classifying the events according to the standard characteristic values to obtain the event types of the events. The characteristic selection module is used for carrying out characteristic selection according to the standard characteristic value of the event to obtain a characteristic value subset meeting a preset condition; and sending the characteristic value subset to a classifier so that the classifier classifies the event according to the characteristic value subset to obtain the event type of the event.
Specifically, the data preprocessing module converts the data format of the collected original event into a format that can be recognized and processed by the C4.5 algorithm, and specifically includes discretizing and normalizing the feature value of the event, where the event includes multiple features, and the feature value of some of the features is a continuous value, and thus the continuous feature value needs to be discretized. The data preprocessing module can realize the feature discretization in the original event through Excel macro tool FormatDataLibsvm. In addition, in order to ensure the accuracy of subsequent detection and classification and avoid the situation that the eigenvalue with a small value range is submerged by the eigenvalue with a large value range, the value of the eigenvalue needs to be normalized, that is, processed according to a certain proportion, so that the value ranges of all eigenvalues are in the same order of magnitude. The method can be used for normalization processing by using a linear maximum and minimum normalization method. And the data preprocessing module obtains a standard characteristic value after discretization and normalization processing, and sends the standard characteristic value to the judging module. The judging module is used for judging whether the total number of all standard characteristic values is smaller than a preset threshold value or not, when the number of the characteristic values is small, the event can be directly sent to the classifier for detection and classification, when the number of the characteristic values is large, the event is sent to the characteristic selecting module, the characteristic selecting module performs characteristic selection according to the standard characteristic values of the event, the selected characteristic selecting algorithm is an algorithm based on information gain in a filter mode, and the purpose is to select the characteristic with the highest information gain, namely the characteristic has higher discrimination in a data set. Specifically, the feature selection module may calculate information gains of the features, and further select a feature with a higher information gain value from all the features to construct a feature value subset; and sending the characteristic value subset to the classifier so that the classifier classifies the events according to the characteristics in the characteristic value subset to obtain the event types.
In the embodiment, the setting judgment module is used for judging whether the event needs feature selection, if the number of the features is less, the event is directly classified, and if the number of the features is more, the features with the highest discrimination are selected to form the feature value subset, and then the feature value subset is utilized for classification. The processing efficiency of the classifier is improved, so that the classifier does not need to judge each feature when the number of the features is large, and a lightweight intrusion detection system is constructed. Compared with a classifier adopting full-feature classification, the method has the advantages of short average modeling time and higher detection accuracy.
In one embodiment, the responder includes a logging module. As shown in fig. 3, the logging module is connected to the classifier, and is configured to receive and store the event and the corresponding time type from the classifier, and the logging module stores the event whether the event is a normal event or an intrusion event.
According to the embodiment, all history records can be saved through log recording, and subsequent accumulated experiences can be accumulated and learned conveniently.
In an embodiment, as shown in fig. 3, the responder further includes an alarm module and a response module, and the alarm module is connected to the classifier; the classifier is used for sending the intrusion event to the alarm module when the event type of the event is judged to be the intrusion event; the alarm module is used for sending alarm information to the management port; and sending the intrusion event to the response module to instruct the response module to make corresponding response action.
Specifically, when the event is determined to be an intrusion event, the classifier sends the intrusion event to the alarm module, the alarm module sends alarm information to a relevant manager (management port), and sends the intrusion event to the response module, so that the response module makes response behaviors according to the specific type of the event, for example, intrusion modes of the intrusion event are divided into four types, including DOS attack, R2L remote attack, U2R privilege escalation attack and Probing detection attack, and the response module can make corresponding processing according to the intrusion modes. If the event is an intrusion behavior, the responder sends an alarm to notify a system administrator, and meanwhile, corresponding measures can be actively taken, such as linkage with a firewall and interconnection with a security management platform or security equipment thereof. When the IDS detects abnormal behavior, the response module is added in the rule, so that the firewall can block an attack source and an attack target (including IP, a port and service) in time, and the computer network is protected. In the process, the detected abnormal behavior specific information and the added rule are written into an event log and reported to a system administrator.
According to the embodiment, the alarm module and the response module are arranged, so that the intrusion event can be processed in time, and the negative influence of the intrusion event on the internal network is prevented.
In one embodiment, the classifier is constructed based on the ID3(Iterative Dichtmizer 3) decision tree algorithm. The characteristic selection module is constructed by using an algorithm based on information gain; wherein the information gain based algorithm comprises a C4.5 algorithm. ID3 and C4.5 both belong to decision tree algorithms, decision tree learning essentially generalizes a set of classification rules from a training data set; the core idea of the ID3 algorithm is to select the attribute with the largest information gain as a classification attribute by using the information entropy principle, recursively expand the branches of the decision tree, and complete the construction of the decision tree.
According to the embodiment, the decision tree algorithm is used, so that the data mining capacity is improved, and the accuracy of the intrusion detection system is further improved.
In an embodiment, the event generator in the system further includes a data acquisition module and an information source, and data from the information source is received by the data acquisition module in the form of data packets, processed to form audit records, and then reaches the data preprocessing module.
The information source in the intrusion detection system is network data, so the data acquisition module mainly has the functions of acquiring data from the network card and recombining out-of-order TCP connection. The WinPcap mode is adopted for realizing data packet capture by using a Windows operating system, and the WinPcap mode is a program capable of filtering an underlying packet.
The NIC mode is first tuned to promiscuous mode, and then the rules for filtering data are set by setting parameters in the BPF (Berkeley packet Filter) kernel. And calling a PacketSetBuff () function, setting the size of a buffer area of the system, and distributing the data packet objects in the buffer area. And a function of capturing the data packet is realized by adopting a PacketReceivePacket () function, and the data packet is copied to a user buffer after the system buffer is filled with the data packet. This allows further packet analysis processing.
It should be understood that, although the steps in the above-described flowcharts are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the above-mentioned flowcharts may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or the stages is not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a part of the steps or the stages in other steps.
The following description is provided in a specific application scenario:
in the embodiment, through research on the binary remote code execution class bug, a lightweight intrusion detection system based on traffic is designed and realized by aiming at a bypass means for randomizing an address space in the binary remote code execution class bug.
The experimental data used in this experiment were all from KDD 99, a data set containing over 500 ten thousand connection records, available from. Each connection record has 41 attribute values, of which 34 attributes are continuous values and 7 are discrete values. Each record has a label, namely normal or intrusion, and 4 intrusion modes, namely DOS attack, R2L remote attack, U2R privilege attack and Probing detection attack, are shared. The experimental environment is as follows: CPU Intercore i71.73GHz; a memory 512M; operating system Windows 2007; the programming environment VC + + 6.0.
Training is performed by using training data of a KDD 99 data set, and in order to avoid contingency, the data volume contained in the test data set needs to be large. The training data set thus contained 100000 pieces of data, and 60000 pieces of data different from the training data were taken as test data.
The experiment is completed on a WEKA (Wyoka Intelligent analysis environment) open source platform. The WEKA is a data mining system, is realized by JAVA language, provides a method suitable for data preprocessing and algorithm performance evaluation of any data set, has strong expansibility and compatibility, and can package a personalized algorithm into the system according to specific requirements. The model adopts a feature selection algorithm based on information gain and an ID3 decision tree classification algorithm. The ID3 classification algorithm is mature, and many existing development tools pre-develop the function and can directly call the function in a program function library.
The detection flow of the tool is as follows:
the method comprises the following steps: downloading a KDD 99 data packet, decompressing, and then randomly selecting data to construct two data sets X and C, wherein the X data set comprises 100000 pieces of data and is a training data set; the C data set comprises 60000 pieces of data and is a test data set;
step two: preprocessing the data in the X, and after continuous attribute discretization and normalization processing, copying the data set X at the moment to obtain X _1 and X _2 results;
step three: sending the X _1 into an event analysis module of the intrusion detection model proposed this time, and constructing a classifier F _1 by an ID3 algorithm after feature selection; directly sending the X _2 into a classifier module, and constructing a classifier F _2 through training;
step four: and (3) repeating the operation of the step (2) on the test data set C to obtain data sets C _1 and C _2, and then respectively sending the data sets C _1 and C _2 to the classifiers F _1 and F _2 for classification to obtain the classified event types.
According to the embodiment, the sign selection algorithm and the classification algorithm are combined, so that the detection speed of the intrusion detection system can be effectively improved, the detection of large data volume is accelerated, and the performance of the intrusion detection system is improved; compared with a classifier adopting full-feature training, when the classifier is combined with a feature selection algorithm, the average modeling time is short, and the detection accuracy is greatly improved.
In one embodiment, a computer device, which may be a server, whose internal structure diagram may be as shown in fig. 4, is provided for implementing the above-mentioned lightweight intrusion detection system. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data such as events, event types and corresponding response processing information. The network interface of the computer device is used for communicating with an external terminal through a network connection.
In one embodiment, a computer device, which may be a terminal and whose internal structure diagram may be as shown in fig. 5, may be used to implement the above-mentioned lightweight intrusion detection system. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 4-5 are only block diagrams of some of the configurations relevant to the present application, and do not constitute a limitation on the computing devices to which the present application may be applied, and that a particular computing device may include more or less components than shown, or combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. An intrusion detection system comprising an event generator, a pre-constructed event analyzer and a responder; wherein,
the event generator is used for monitoring and acquiring events in a target monitoring environment and sending the events to a pre-constructed event analyzer;
the pre-constructed event analyzer is used for detecting and classifying the events to obtain the event types of the events and sending the events to the responder;
and the responder is used for making corresponding response behaviors aiming at the events according to the event types.
2. The system of claim 1, further comprising a training module; the training module is used for acquiring a historical event set in the target monitoring environment, and training an event analyzer by using the historical event set to obtain the pre-constructed event analyzer; wherein event types of historical events in the set of historical events are known.
3. The system of claim 2, wherein the event analyzer comprises a data preprocessing module, a decision module, and a classifier; wherein,
the data preprocessing module is used for acquiring the characteristic value of the event, discretizing and normalizing the characteristic value of the event to obtain a standard characteristic value, and sending the standard characteristic value to the judging module;
the judging module is used for judging whether the total number of the standard characteristic values is smaller than a preset threshold value or not; if yes, sending the event to the classifier;
and the classifier is used for classifying the event according to the standard characteristic value to obtain the event type of the event.
4. The system of claim 3, wherein the event analyzer further comprises a feature selection module;
the judging module is used for judging whether the total number of the standard characteristic values is smaller than a preset threshold value or not; if not, sending the event to the feature selection module;
the characteristic selection module is used for selecting characteristics according to the standard characteristic values of the events to obtain a characteristic value subset meeting preset conditions; and sending the characteristic value subset to the classifier so that the classifier classifies the event according to the characteristic value subset to obtain the event type of the event.
5. The system of claim 3, wherein the responder comprises a logging module; the log recording module is connected with the classifier;
and the log recording module is used for receiving the events and the corresponding event types from the classifier and storing the events and the corresponding event types.
6. The system of claim 3, wherein the responder further comprises an alarm module and a response module; the alarm module is connected with the classifier;
the classifier is used for sending the intrusion event to the alarm module when the event type of the event is judged to be the intrusion event;
the alarm module is used for sending alarm information to the management port; and sending the intrusion event to a response module to instruct the response module to make a corresponding response action.
7. The system of claim 3, wherein the classifier is constructed based on an ID3 decision tree algorithm.
8. The system of claim 4, wherein the feature selection module is constructed using an information gain based algorithm.
9. The system of claim 8, wherein the information gain based algorithm comprises a C4.5 algorithm.
10. The system according to any one of claims 1 to 9, characterized in that it further comprises an event database:
the event database is used for storing the event, the event type of the event and the alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044147.7A CN113726810A (en) | 2021-09-07 | 2021-09-07 | Intrusion detection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111044147.7A CN113726810A (en) | 2021-09-07 | 2021-09-07 | Intrusion detection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113726810A true CN113726810A (en) | 2021-11-30 |
Family
ID=78682222
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111044147.7A Pending CN113726810A (en) | 2021-09-07 | 2021-09-07 | Intrusion detection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113726810A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116821898A (en) * | 2023-06-30 | 2023-09-29 | 北京火山引擎科技有限公司 | Intrusion detection method, device and storage medium for container environment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015190446A1 (en) * | 2014-06-11 | 2015-12-17 | 日本電信電話株式会社 | Malware determination device, malware determination system, malware determination method, and program |
| US20160036844A1 (en) * | 2014-07-15 | 2016-02-04 | Cisco Technology, Inc. | Explaining network anomalies using decision trees |
| CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
| CN109086603A (en) * | 2018-07-10 | 2018-12-25 | 阜阳职业技术学院 | A kind of intruding detection system and method based on machine learning |
| CN109617888A (en) * | 2018-12-24 | 2019-04-12 | 湖北大学 | A kind of anomalous traffic detection method neural network based and system |
| CN110727943A (en) * | 2019-10-11 | 2020-01-24 | 中山职业技术学院 | Intrusion detection method and device |
-
2021
- 2021-09-07 CN CN202111044147.7A patent/CN113726810A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015190446A1 (en) * | 2014-06-11 | 2015-12-17 | 日本電信電話株式会社 | Malware determination device, malware determination system, malware determination method, and program |
| US20160036844A1 (en) * | 2014-07-15 | 2016-02-04 | Cisco Technology, Inc. | Explaining network anomalies using decision trees |
| CN105930723A (en) * | 2016-04-20 | 2016-09-07 | 福州大学 | Intrusion detection method based on feature selection |
| CN109086603A (en) * | 2018-07-10 | 2018-12-25 | 阜阳职业技术学院 | A kind of intruding detection system and method based on machine learning |
| CN109617888A (en) * | 2018-12-24 | 2019-04-12 | 湖北大学 | A kind of anomalous traffic detection method neural network based and system |
| CN110727943A (en) * | 2019-10-11 | 2020-01-24 | 中山职业技术学院 | Intrusion detection method and device |
Non-Patent Citations (14)
| Title |
|---|
| 向明尚等: "基于动态Agent的分布式入侵检测系统设计与实现", 《长江大学学报(自科版)理工卷》 * |
| 向明尚等: "基于动态Agent的分布式入侵检测系统设计与实现", 《长江大学学报(自科版)理工卷》, no. 02, 15 June 2006 (2006-06-15) * |
| 姜华斌: "基于环形结构分布式协同入侵检测系统的架构", 《吉首大学学报(自然科学版)》 * |
| 姜华斌: "基于环形结构分布式协同入侵检测系统的架构", 《吉首大学学报(自然科学版)》, no. 05, 25 September 2008 (2008-09-25) * |
| 姜宏等: "基于GAIG特征选择算法的轻量化DDoS攻击检测方法", 《计算机应用研究》 * |
| 姜宏等: "基于GAIG特征选择算法的轻量化DDoS攻击检测方法", 《计算机应用研究》, no. 02, 15 February 2016 (2016-02-15), pages 2 - 6 * |
| 李威: "BP神经网络在入侵检测中的改进设计", 《漯河职业技术学院学报》 * |
| 李威: "BP神经网络在入侵检测中的改进设计", 《漯河职业技术学院学报》, no. 05, 15 September 2008 (2008-09-15), pages 1 * |
| 王雷,魏焕新,聂清彬等: "计算机网络原理基础教程", 西安电子科技大学出版社, pages: 177 * |
| 白广利: "网络安全中入侵检测的MATLAB设计实现", 《黑龙江科学》 * |
| 白广利: "网络安全中入侵检测的MATLAB设计实现", 《黑龙江科学》, no. 02, 15 March 2012 (2012-03-15) * |
| 胡军华等: "一种基于网络的入侵检测模型及其实现", 《湖南大学学报(自然科学版)》, no. 06, 30 December 2006 (2006-12-30), pages 1 - 8 * |
| 魏金太等: "基于信息增益和随机森林分类器的入侵检测系统研究", 《中北大学学报(自然科学版)》 * |
| 魏金太等: "基于信息增益和随机森林分类器的入侵检测系统研究", 《中北大学学报(自然科学版)》, no. 01, 15 February 2018 (2018-02-15), pages 2 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116821898A (en) * | 2023-06-30 | 2023-09-29 | 北京火山引擎科技有限公司 | Intrusion detection method, device and storage medium for container environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| US7941855B2 (en) | Computationally intelligent agents for distributed intrusion detection system and method of practicing same | |
| CN106973038B (en) | Network intrusion detection method based on genetic algorithm oversampling support vector machine | |
| CN107579956B (en) | User behavior detection method and device | |
| US20150039543A1 (en) | Feature Based Three Stage Neural Network Intrusion Detection | |
| Tabash et al. | Intrusion detection model using naive bayes and deep learning technique. | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| Koshal et al. | Cascading of C4. 5 decision tree and support vector machine for rule based intrusion detection system | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN118101250A (en) | Network security detection method and system | |
| CN113726810A (en) | Intrusion detection system | |
| CN116962052A (en) | Network security monitoring method, apparatus, device, medium and computer program product | |
| KR100432168B1 (en) | Multiple Intrusion Detection Objects in Security Gateway System for Network Intrusion Detection | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| CN104580087A (en) | Immune network system | |
| CN111104670A (en) | APT attack identification and protection method | |
| CN115277472A (en) | Network security risk early warning system and method for multidimensional industrial control system | |
| EP4254241A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN117391214A (en) | Model training method and device and related equipment | |
| CN114268484A (en) | Malicious encrypted flow detection method and device, electronic equipment and storage medium | |
| CN115085965B (en) | Power system information network attack risk assessment method, device and equipment | |
| Adenusi Dauda et al. | Development of threats detection model for cyber situation awareness | |
| Ranga et al. | A Study of IDS Technique Using Data Mining | |
| Dhakar et al. | Tree–augmented naïve Bayes–based model for intrusion detection system | |
| CN118153091A (en) | Privacy data protection method, system and medium based on remote control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211130 |