0


入侵检测的机器学习

Machine Learning for Intrusion Detection
课程网址: http://videolectures.net/mmdss07_laskov_mlit/  
主讲教师: Pavel Laskov
开课单位: 弗劳恩霍夫智能分析与信息系统研究所
开课时间: 2007-11-26
课程语种: 英语
中文简介:
入侵检测是计算机安全的核心技术之一。入侵检测目标的目标是识别受监视数据流中的恶意活动,该数据可以是网络传输,操作系统事件或日志条目。大多数当前的入侵检测系统(IDS)遵循基于签名的方法,其中,与病毒扫描程序类似,检测到与特定模式“签名”匹配的特定模式的事件。基于签名的IDS的主要限制是它们的失败识别新的攻击,有时甚至是已知模式的微小变化。此外,维护签名数据库需要大量的管理费用。机器学习是提高质量和促进IDS管理的重要机会。监督学习可以用于自动生成探测器而无需手动定义和更新签名。异常检测和其他无监督学习技术可以检测到新类型的攻击,只要它们在某些特征空间中表现出不寻常的特征。在我们的贡献中,基于内核和距离将介绍用于网络入侵检测的学习算法。我们的方法的两个基本部分e在线学习算法和特征提取。算法部分的主要要求是线性运行时,在线学习和数据类型抽象。将提出简单但有效的异常检测算法以满足这些要求(1)。可以将特征提取算法简化为连续对象之间的相似性度量的计算。为了从应用层网络协议访问该特征,其中大多数现代远程攻击操作,直接在TCP连接的字节流上计算相似性度量。将提出算法和数据结构,允许在线性时间内以极低的运行时间常数和内存消耗高效地计算相似性度量(2)
课程简介: Intrusion detection is one of core technologies of computer security. The goal of intrusion detection goal is identi cation of malicious activity in a stream of monitored data which can be network trac, operating system events or log entries. A majority of current intrusion detection systems (IDS) follows a signature-based approach in which, similar to virus scanners, events are detected that match speci c pre-de ned patterns known as \signatures". The main limitation of signature-based IDS is their failure to identify novel attacks, and sometimes even minor variations of known patterns. Besides, a signi cant administrative overhead is incurred by the need to maintain signature databases. Machine learning o ers a major opportunity to improve quality and to facilitate administration of IDS. Supervised learning can be used for automatic generation of detectors without a need to manually de ne and update signatures. Anomaly detection and other unsupervised learning techniques can detect new kinds of attacks provided they exhibit unusual character in some feature space. In our contribution, kernel and distance based learning algorithms for network intrusion detection will be presented. The two essential parts of our approach are online learning algorithms and feature extraction. The major requirements on the algorithmic part are linear run-time, online learning and data type abstraction. Simple but e ective anomaly detection algorithms will be presented that satisfy these requirements (1). Feature extraction algorithms can be reduced to computation of similarity measures between sequential objects. In order to access the feature from the application-layer network protocols, in which most of modern remote exploits operate, similarity measures are computed directly over byte streams of TCP connections. Algorithms and data structures will be presented that allow e- cient computation of similarity measures in linear time with very low run-time constants and memory consumption (2)
关 键 词: 入侵检测; 计算机安全; 数据流
课程来源: 视频讲座网
最后编审: 2021-01-15:yumf
阅读次数: 65