基于数据包负载的网络入侵检测

通过分析正常的网络数据流负载的字节统计分布,提出了一个基于网络数据包负载的异常检测模型,模型的产生完全是自动的、无监督的和高效的.模型训练阶段,针对特定主机的每一个端口,计算经过该端口的数据包负载的字节出现频率的平均值和标准差,根据计算结果产生统计分布检测模型.检测阶段,利用马氏距离计算新的数据和训练阶段产生的统计模型的相似性,根据计算结果和距离临界值的比较检测入侵.使用1999 DARPA IDS数据集对所建模型进行测试,结果显示该模型对于检测某些针对特定的端口的攻击有效,特别是在检测80端口的数据包时,正确率几乎达到100%,而错误率为0.1%.

Packet Payload Based Anomalous Network Intrusion Detection

The paper presents a payload-based anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic, unsupervised and very effecient fashion, for intrusion detection. We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. then, Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset. In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.