基于异常的终端级入侵检测①熊文定,罗凯伦,李睿(东莞理工学院网络空间安全学院,东莞523808)通信作者:李睿,E-mail:ruili@dgut.edu.cn摘要:入侵检测技术作为计算机防护的主要技术手段,因具有适应性强、能识别新型攻击的优点而被广泛研究,然而识别率和误报率难以保证是该技术的主要瓶颈.为了提升异常检测技术的识别率并降低误报率,提出了一种终端级入侵检测算法(terminal-levelintrusiondetectionalgorithm,TL-IDA).在数据预处理阶段把终端日志切割成连续的小块命令序列,并引入统计学的常用指标为命令序列构建特征向量,再使用TL-IDA算法通过特征向量对用户建模.在此基础上,还提出了一种滑动窗口判别法,用于判断系统是否遭受攻击,从而提升入侵检测算法的性能.实验结果表明,TL-IDA算法的平均识别率和误报率分别达到了83%和15%,优于同类的基于异常技术的终端级入侵检测算法ADMIT、隐马尔可夫模型法等.关键词:计算机安全;异常技术;动态聚类;终端级入侵检测;滑动窗口判别法引用格式:熊文定,罗凯伦,李睿.基于异常的终端级入侵检测.计算机系统应用,2023,32(2):181–189.http://www.c-s-a.org.cn/1003-3254/8904.htmlAnomaly-basedTerminal-levelIntrusionDetectionXIONGWen-Ding,LUOKai-Lun,LIRui(SchoolofCyberspaceSecurity,DongguanUniversityofTechnology,Dongguan523808,China)Abstract:Asthemaintechnicalmeansofcomputerprotection,intrusiondetectiontechnologyhasbeenwidelystudiedduetoitsadvantagesofstrongadaptabilityandabilitytoidentifynewtypesofattacks.However,therecognitionrateandfalsealarmratearedifficulttoguarantee,whichisthemainbottleneckofthistechnology.Toimprovetherecognitionrateandreducethefalsealarmrateofanomalydetectiontechnology,thisstudyproposesaterminal-levelintrusiondetectionalgorithm(TL-IDA).Inthedatapreprocessingstage,theterminallogiscutintocontinuousandsmall-blockcommandsequences,andcommonstatisticalindicatorsareintroducedtoconstructfeaturevectorsforthecommandsequences.ThenTL-IDAisappliedtomodelusersthroughthefeaturevectors.Onthisbasis,aslidingwindowdiscriminationmethodisalsoproposedtojudgewhetherthesystemisunderattack,soastoimprovetheperformanceoftheintrusiondetectionalgorithm.Theexperimentalresultsshowthattheaveragerecognitionrateandfalsealarmrateofthe...
