异常检测中单类分类算法和免疫框架设计

基于主机系统执行迹的异常检测系统可以检测类似U2R和R2L这两类攻击。由于攻击数据难以获取，往往只能得到正常的系统调用执行迹数据。该文设计了基于自组织特征映射的单类分类器的异常检测模型，只利用正常数据建立分类器，所有偏离正常模式的活动都被认为是入侵。通过对主机系统执行迹数据集的测试，试验获得了对异常样本接近100％的检测率，而误报警率为4．9％。该文将单类分类器作为抗体检测器，运用人工免疫学原理建立了分布式的异常检测框架，使入侵检测系统具有分布式、自组织和高效的特性，为建立分布式的入侵检测提出一种新的思路。

One-class Classification and Immune Framework in Abnormal Detection

The abnormal detection using sequences of system calls can detect the behaviors like the U2R(User to root) and R2L(Remote to Local).Administrators usually can only get the normal sequences of system calls due to the difficult acquisition to the attack data.The one-class classifier based on an improved self-organizing maps algorithm was designed to resolve the one-class problem in abnormal detection.All activities deviated from the normal patterns are classified as an intrusion.In the experiments,the one-class classifier acquires 100 % detection rate and 4.9 % false alarm rate for sequences of system calls.A framework for the distributed intrusion detection is given based on the artificial immune theory and the detector algorithm based on the one-class classification is designed and discussed.The framework of the intrusion detection system is distributed,self-organizing and efficient.The approach provides a new idea of the future intrusion detection system.