摘要
基于规则的入侵检测系统中存在误报、漏报率高,检测速度慢等问题,为此在协议分析的基础上,提出一种基于决策树的协议解码方法。该方法使用扩展巴科斯范式描述检测规则,给出推理规则的定义;提出构造最优决策树和增量决策树的算法;通过构造基于决策树的入侵检测系统,将该方法与简单模式匹配,与基于动态规则集、基于状态转换两种协议解码方法进行了比较。实验结果表明:基于扩展巴科斯范式的协议解码方法,在误报率方面比其他3种方法分别降低10.08%,0.1%,1.51%;在漏报率方面分别降低15.56%,3.68%,2.86%。
Nowadays, intrusion detection system is still facing the problem of high false positive, high false negative and slow detection speed. In order to solve these problems, it gives an inference system using extended Backus-Naur Form to deal with these problems and provides a best decision tree algorithm and an incremental de- cision tree algorithm. The third section constructs DT (Decision Tree) -based Intrusion detection system and compares the improved method with traditional pattern match, dynamic rule sets-based method and state transition-based method. In the final part, it draws a conclusion that intrusion detection performance can be highly im- proved using the optimization decision tree method with the decrease by 10. 08%, 0. 1% and 1.51% respectively for false positive; the decrease by 15.56%, 3.68% and 2. 86% respectively for false negative.
出处
《吉林大学学报(信息科学版)》
CAS
2007年第1期12-17,共6页
Journal of Jilin University(Information Science Edition)
基金
国家自然科学基金资助项目(60372094)