The essence of edid is to set up a normal behavior fuzzy sub collection a on the basis of watching the normal system transfer of the privilege process , and set up a fuzzy sub collection b with real time transfer array , then detect with the principle of minimum distance in fuzzy discern method the innovation point of this paper is : put forward the method of edid , can not only reduce efficiently false positive rate and false negative rate , also make real time intrusion detection to become possibility ; have independent and complete character database , according to the classification of monitoring program , design normal behavior and anomaly behavior etc . , have raised the strongness of ids ; use tree type structure to preservation the character database , have saved greatly stock space ; in detection invade , carry out frequency prior principle , prior analysis and handling the behavior feature of high frequency in information table , have raised efficiency and the speed of detection , make real time intrusion detection to become possibility ; have at the same time realized anomaly intrusion detection and misuse intrusion detection , have remedied deficiency of unitary detection method 这种方法的实质是在监控特权进程的正常系统调用基础上建立正常行为模糊子集a ,用检测到的实时调用序列建立模糊子集b ,然后用模糊识别方法中的最小距离原则进行检测。本文的创新点是:通过对特权进程的系统调用及参数序列的研究,提出了基于euclidean距离的入侵检测方法edid ,不仅能有效降低漏报率和误报率,而且使实时入侵检测成为可能;设计有独立而完整的特征数据库,根据被监控程序的类别,分别设计正常行为、异常行为等,提高了检测系统的强健性和可伸缩性;特征数据库按树型结构存储,大大节省了存储空间;在检测入侵时,实行频度优先原则,优先分析和处理信息表中的高频度行为特征,提高检测的速度和效率,使实时入侵检测成为可能;同时实现了异常入侵检测和误用入侵检测,弥补了单一检测方法的不足。
Consequently , this system has low false alarm rate as well as low miss alarm rate . what ' s more , it has real - time data analyzing and responds on time . all these characters make this intrusion detection expert system have much more protecting capacity 本系统将模糊推理和并行推理相结合的推理技术用于对入侵特征的分析与辨识,构建起基于误用和基于异常相结合的入侵检测系统,使系统在保持以专家系统开发入侵检测系统误报率低的优势之外还降低了入侵检测的漏报率,而且数据分析更具实时性,响应及时有效。
In this paper , the mechanism , methods of and countermeasures to denial of services attacks are discussed . after that , several packet marking schemes for traceback are reviewed and some improvements to the basic packet marking scheme are given , which reduce the workload and false positive rate in the attack tree reconstruction . knowing that in existing packet marking schemes , router marks packets with fixed probability , which results in that many packets are required in path reconstruction and that attacker could encumber path reconstruction via spoofed marking information 在本文中,我们首先研究了拒绝服务攻击的攻击机制、方法及其对策,并对以包标记的方式追踪拒绝服务攻击的来源的各种方法进行了深入的研究,分析了它们各自的优缺点,并对基本包标记方案作了改进,使得其攻击路径重构时的运算量和重构的误报率在原有基础上大为降低,达到或超过了其他一些方案的水平。
