基于特征的入侵检测系统的评估新方法.PDFVIP

于特征的入侵检测系统的评估新方法1 孙美凤1,2 龚俭1 杨望1 1 （东南大学计算机科学与工程系，江苏省计算机网络技术重点实验室，江苏 南京 2 10096) 2 （扬州大学信息工程学院计算机系，江苏 扬州 225000) A new approach to evaluate the capacity of signature-based intrusion detection systems Sun Meifeng1,2 Gong Jian1 Yang Wang1 1 (Department of Computer Science and Engineering, Southeast University, Nanj ing 2 10096, China) 2 (College of Information Engineering , Yangzhou University, Yangzhou 225000, China) Abstract: Existing intrusion detection system (IDS) evaluation methods take an IDS as a black-box, and deduce its detection capabilities by observing its outputs under a traffic mixture of normal usages and attacks. The results by such an evaluation method reflect the capacity of a signature-based IDS, which is determined by its implementation combined with human knowledge input in it. Since the detection rule format and its semantic definition may vary, the precondition for the evaluation is not equal in fact. Therefore, the current methods are not reasonable enough, and the results may change as the detection rule changes. In this paper, we propose a new evaluation method for signature-based IDS, which views the human knowledge as IDS parameters, and evaluates the capability of IDS implementation only. We focus on the definition of metrics. Additionally, we also introduce how to calculate the value of metrics. A prototype is implemented which shows that this new method can evaluate the real capacity better for a signature-based IDS. Keywords: intrusion detection, signature-based intrusion detection system, evaluation 要：目前评估方法将IDS 看作一个黑盒子，通过观察它在模拟的正常用户行为和入侵作用下的输出来 推断其在实际环境中表现出的检测能力。对基于特征的IDS ，这种表现出的检测能力反映IDS 实现和预置 人工知识的综合质量。由于IDS 各自定义所使用的检测规则，并且在定义之后，规则及其数量还可能变化， 所以IDS 在评估时表现出的检测能力与实际运行中表现出的能力可能不同，这就失去了评估的意义。本文 提出一种基于系统能力的评估方法，该方法把人工知识视为评估参数，因此结论反映IDS 实现的质量。本 文重点讨论系统能力的测度定义，并简单介绍测度计算的总体思路。实验结果表明本文方法更能反映基于 特征的IDS 的真实质量。 关键字：入侵检测；基于特征的入侵检测系统；评估 中图分类号：TP393 1 引言 20 世纪80 年代以来，随着对入