深度防卫的自适应入侵检测系统

为了全面检测黑客入侵和有效提高检测精度,提出了一种深度防卫的自适应入侵检测系统模型.该模型按照黑客入侵对系统影响的一般顺序,使用不同方法对网络行为、用户行为和系统行为3个层次涉及到的网络数据包、键盘输入、命令序列、审计日志、文件系统和系统调用进行异常检测,并利用信息融合技术来融合不同检测器的检测结果,从而得到合理的入侵判定.在此基础上,提出了系统安全风险评估方法,并由此制定了一种简单、高效的自适应入侵检测策略.初步实验结果表明,所提的深度防卫自适应入侵检测模型能够全面、有效地检测系统的异常行为,可以自适应地动态调整系统安全与系统性能之间的平衡,具有检测精度高、系统资源消耗小的优点.

Defense-in-Depth Adaptive Intrusion Detection System

Aiming at detecting intrusions across-the-board and at improving detection accuracy, a novel model of defense-in-depth adaptive intrusion detection system (IDS) was presented. In this model, the behaviors in a computer system are monitored according to the general order of the impact of the attacks and divided into three layers including network behaviors, user behaviors and system behaviors. Various methods are then applied to process the data streams from network packages, keystrokes, audit trails, command sequences, file system and system calls obtained in the three layers for intrusion detection. The monitoring decision on intrusion is made by combining the six individual inferences based on information fusion technique. Based on the risk assessment method proposed in this paper, an efficient adaptive policy is drawn as well for IDS to reduce the expense of system resources. The model is tested and the results show that the model presented is effective to detect intrusions and to balance the system security and performance adaptively and dynamically. The model is promising as well in terms of detection accuracy, system resource requirement and implementation in practice.