[1]潘志松,倪桂强,谭琳,等.异常检测中单类分类算法和免疫框架设计[J].南京理工大学学报(自然科学版),2006,(01):48-52.
 PAN Zhi-song,NI Gui-qiang,TAN Ling,et al.One-class Classification and Immune Framework in Abnormal Detection[J].Journal of Nanjing University of Science and Technology,2006,(01):48-52.
点击复制

异常检测中单类分类算法和免疫框架设计
分享到:

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

卷:
期数:
2006年01期
页码:
48-52
栏目:
出版日期:
2006-02-28

文章信息/Info

Title:
One-class Classification and Immune Framework in Abnormal Detection
作者:
潘志松;倪桂强;谭琳;胡谷雨;
解放军理工大学指挥自动化学院, 江苏南京210007
Author(s):
PAN Zhi-songNI Gui-qiangTAN LingHU Gu-yu
Institute of Command Automation,PLA University of Science and Technology,Nanjing 210007,China
关键词:
入侵检测 自组织特征映射 单类分类器 人工免疫学原理
Keywords:
intrusion detection sel-f organizing maps one-class classifier artificial immune theory
分类号:
TP393.08
摘要:
基于主机系统执行迹的异常检测系统可以检测类似U2R和R2L这两类攻击。由于攻击数据难以获取,往往只能得到正常的系统调用执行迹数据。该文设计了基于自组织特征映射的单类分类器的异常检测模型,只利用正常数据建立分类器,所有偏离正常模式的活动都被认为是入侵。通过对主机系统执行迹数据集的测试,试验获得了对异常样本接近100%的检测率,而误报警率为4.9%。该文将单类分类器作为抗体检测器,运用人工免疫学原理建立了分布式的异常检测框架,使入侵检测系统具有分布式、自组织和高效的特性,为建立分布式的入侵检测提出一种新的思路。
Abstract:
The abnormal detection using sequences of system calls can detect the behaviors like the U2R (User to root ) and R2L(Remote to Local) .Administrators usually can only get the normal sequences of system calls due to the difficult acquisition to the attack data. The one-class classifier based on an improved sel-f organizing maps algorithm was designed to resolve the one- class problem in abnormal detection. All activities deviated from the normal patterns are classified as an intrusion. In the experiments, the one-class classifier acquires 100 % detection rate and 4. 9 % false alarm rate for sequences of system calls. A framework for the distributed intrusion detection is given based on the artificial immune theory and the detector a-l gorithm based on the one-class classification is designed and discussed. The framework of the intrusion detection system is distributed, sel-f organizing and efficient. The approach provides a new idea of the future intrusion detection system.

参考文献/References:

[ 1] Forrest S, Hofmeyr S A, Somayaji A. Computer immunology[ J] . Communications of the ACM, 1997, 40( 10) : 88- 96.
[ 2] Somayaji A, Hofmeyr S, Forrest S. Principles of a computer immune system [ A] . New Security Paradigms Workshop [ C] . ACM: Boisuert R, 1998. 75- 82.
[ 3] Warrender C, Forrest S, Pearlmutter B. Detecting intrusion using system calls: Alternative data models [ A] . IEEE Symposium on Security and Privacy [ C] . Oakland: CA, 1999. 133- 145.
[ 4] Forrest S, Hofmeyr S A, Longstaff T A. A sense of self for unix processes [ A] . IEEE Symposium on Security and Pr-i vacy[ C] . Oakland: CA, 1996. 120- 128.
[ 5] Tax D M J. One- class classification [ D] . Deft: Delft Un-i versity of Technology, 2001. 1- 190.
[ 6] Manevitz L M, Yousef M. One- class SVMs for document classification [ J] . Journal of Machine Learning Research, 2001( 2) : 139- 154.
[ 7] Rtsch G, Schlkopf B, Mika S, M?l ler K R. SVM and boosting: One class [ R] . Berlin, Germany: GMD FIRST Kekul?str, 2000. 1- 23.
[ 8] Chen Yunqiang, Zhou Xiangsean. One- class SVM for learning in image retrieval [ A] . IEEE Intl Conf on Image Proc ( ICIP. 2001) [ C] . Greece: Thessaloniki, 2001.
[ 9] Kohonen T. Sel-f organizing map [M] . Berlin: Springer-Verlag, 1995. 117- 119.
[ 10] BishopM. A standard audit trail format [ A] . Proceeding of the 18th National Information Systems Security Conference [ C] . Baltimore: The National Computer Security Center, l995. 136- l45.
[ 11] MIT lpr DataSet [ EB/ OL] . http: / / www. cs. unm. edu/ immsec/ data/ 2000.
[ 12] Lee W, Stolfo S J, Mok K W. A data mining framework for building intrusion detection models [ A] . Proc the 1999 IEEE Symposium on Security and Privacy [ C] . California: Berkely, 1999. 120- 132.
[ 13] Haykin S. Neural networks) A comprehensive foundation ( Second Edition ) [ M] . Beijing: Tsinghua University Press, 2001.
[ 14] Hattori K, Takahashi M. A new neares-t neighbor rule in the pattern classification problem [ J] . Pattern Recognition, 1999, 32: 425- 432.
[ 15] Kim J, Bentley P. The artificial immune model for network intrusion detection [ A] . 7th European Conference on Inte-l ligent Techniques and Soft Computing ( EUFIT. 99) [ C] . Aachen, Germany: EUFIT, 1999.

相似文献/References:

[1]王飞,钱玉文,王执铨,等.基于无监督聚类算法的入侵检测[J].南京理工大学学报(自然科学版),2009,(03):288.
 WANG Fei,QIAN Yu-wen,WANG Zhi-quan.Intrusion Detection Based on Unsupervised Clustering Algorithm[J].Journal of Nanjing University of Science and Technology,2009,(01):288.
[2]钱晓东,王正欧.ART2神经网络聚类的改进研究[J].南京理工大学学报(自然科学版),2007,(01):71.
 QIAN Xiao-dong,WANG Zhen-ou.Improvement of Clustering of ART2 Neural Network[J].Journal of Nanjing University of Science and Technology,2007,(01):71.
[3]林宝成,黄志同.用于语音识别中的SOFM矢量量化方法[J].南京理工大学学报(自然科学版),1996,(01):59.
 Lin Baoeheng,Huing Zhitong.A Method of SOFM as a Vector Quantizer in Speech Recognition[J].Journal of Nanjing University of Science and Technology,1996,(01):59.
[4]耿夏琛,李千目,叶德忠,等.基于粗糙加权平均单依赖估计的入侵检测算法[J].南京理工大学学报(自然科学版),2017,41(04):420.[doi:10.14177/j.cnki.32-1397n.2017.41.04.004]
 Geng Xiachen,Li Qianmu,Ye Dezhong,et al.Intrusion detection algorithm based on rough weightily averaged one-dependence estimators[J].Journal of Nanjing University of Science and Technology,2017,41(01):420.[doi:10.14177/j.cnki.32-1397n.2017.41.04.004]

备注/Memo

备注/Memo:
基金项目: 中国第36 批博士后基金; 江苏省博士后基金; 江苏自然科学基金( BK2005009) 。作者简介: 潘志松( 1973- ) , 男, 江苏南京人, 博士, 主要研究方向: 网络安全, 模式识别, E-mail: hotpzs@ hotmail. com。
更新日期/Last Update: 2006-02-28