基于粗糙集理论的入侵检测方法研究

项目名称： 基于粗糙集理论的入侵检测方法研究

项目编号： No.60802042

项目类型： 青年科学基金项目

立项/批准年度： 2009

项目学科： 金属学与金属工艺

项目作者： 江峰

作者单位： 青岛科技大学

项目金额： 20万元

中文摘要： 本项目着重解决当前的入侵检测系统 (IDS) 所存在的检测准确率低、误警率高等问题。我们认为对IDS中所具有的不确定性和不完整性进行有效地处理，是解决这些问题的关键因素之一。由于粗糙集理论是处理大数据量、不确定和不完整数据的有效工具，因此我们提出了一种基于粗糙集理论的入侵检测模型。项目所取得的主要成果有：(1) 通过分析入侵检测原始数据的特点，提出了三种基于粗糙集的原始数据预处理算法：数据补齐、离散化和属性约简。另外，我们还提出了两种基于粗糙集的特征选择方法，可以减少IDS的数据量。(2) 为了提高IDS对于新攻击的检测性能，提出了两种基于粗糙集的决策树算法，并由此提出了一种增量式决策树算法，用来增量式获取入侵检测规则。(3) 为了将离群点检测技术更好地应用于入侵检测，提出了一系列基于粗糙集的离群点检测方法。(4) 提出了一种基于粗糙集的层次化的报警信息融合与关联模型。该模型分为三个层次，其中第一层提供了一种基于粗糙集的报警信息补齐算法；第二层提供了一种基于粗糙集的报警信息约简算法，用来融合冗余的报警信息；第三层提供了一种基于粗糙集的报警信息聚类算法，用来将相关的报警信息关联在一起。

中文关键词： 入侵检测; 粗糙集; 不确定性与不完整性；离群点检测; 报警信息融合与关联

英文摘要： In this project, we focused on the main problems of the current intrusion detection systems (IDS), that is, the low detection rate and high rate of false alarms. We think that one of the key factors to solve these problems is to effectively deal with the uncertainty and incompleteness of IDS. Since rough set theory is an efficient tool for dealing with mass, uncertain and incomplete data, we proposed a new model for intrusion detection based on rough set theory. The main achievements of this project include: (1) By analyzing the characteristics of audit data in intrusion detection, we proposed three data pre-processing algorithms: data completion, discretization and attribute reduction, based on rough sets. Moreover, we proposed two feature selection algorithms based on rough sets, which can reduce the amount of data for IDS. (2) To improve the performance of IDS for new attacks, we proposed two decision tree algorithms based on rough sets, from which an incremental decision tree algorithm was also proposed to incrementally acquire intrusion detection rules. (3) To make the outlier detection technique more suitable for intrusion detection, we proposed a series of methods for outlier detection based on rough sets. (4) We proposed a hierarchical model for the aggregation and correlation of alerts based on rough set theory. The model is divided into three levels, where the first level provides a rough set based alerts completion algorithm, the second level provides a rough set based alerts reduction algorithm to aggregate the duplicate alerts, and the third level provides a rough set based alerts clustering algorithm to correlate related alerts.

英文关键词： Intrusion detection; rough sets; uncertainty and incompleteness; outlier detection; aggregation and correlation of alerts