7.2 MP在入侵检测中的应.docVIP

1实验数据集介绍 在进行入侵检测技术的研究中，信息收集是第一步工作。入侵检测技术工作的顺利很大程度上依赖于收集信息的可靠性和正确性。本课题研究和测试所使用的数据集都是KDD Cup99数据包，它是非常流行和广泛使用的数据包。 (1)数据结构分析 从数据集中抽取一条数据进行分析 0,tcp,http,SF,159,4087,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,5,5,0.00,0.00,0.00,0.00,1.00,0.00,0.00,11,79,1.00,0.00,0.09,0.04,0.00,0.00,0.00,0.00,normal. 观察得知词条数据共有41个有效字段。下面介绍每个有效字段含义： 第1-9字段为独立TCP连接的基本特征 feature name description type 1 duration 持续时间? length (number of seconds) of the connection?连接长度（秒数） Continuous 连续型 2 protocol_type?协议类型 type of the protocol, e.g. tcp, udp, etc.? discrete 离散型 3 service?提供服务 network service on the destination, e.g., http, telnet, etc.?目标的网络服务 discrete离散型 4 flag?标记 normal or error status of the connection? discrete? 5 src_bytes?源字段 number of data bytes from source to destination?从数据源到目的地 continuous 6 dst_bytes?目的字段 number of data bytes from destination to source?从目的地到数据源 continuous 7 land?登陆 1 if connection is from/to the same host/port; 0 otherwise?连接是否同主机或同端口 discrete 8 wrong_fragment?出错帧 number of ``wrong fragments? continuous 9 urgent?紧急包 number of urgent packets? continuous 第10-22字段为连接中所包含的主要特征 feature name description type 10 hot?热点 number of ``hot indicators指示器数量 Continuous连续型 11 num_failed_logins?登录失败 number of failed login attempts?尝试登录失败 continuous 12 logged_in?成功登录 1 if successfully logged in; 0 otherwise? discrete离散型 13 num_compromised警戒数? number of ``compromised conditions? continuous 14 root_shell?启动权 1 if root shell is obtained; 0 otherwise? discrete 15 su_attempted? 1 if ``su root command attempted; 0 otherwise? discrete 16 num_root? number of ``root accesses?接受的root访问数 continuous 17 num_file_creations? Number of file creation operations?建立文件操作数 continuous 18 num_shells? Number of shell prompts?“shell”提示数 continuous 19 num_access_files? number of operations on access control files?对访问控制文件的操作数 continuous 20 num_outbound_cmds number of outbound commands in an ftp session? 在FTP会话中对外开放命令数 continuous 21 is_hot_login? 1 if the login belongs to the ``hot list; 0 otherwise?