计算机工程与应用 ›› 2020, Vol. 56 ›› Issue (8): 81-86.DOI: 10.3778/j.issn.1002-8331.1812-0214

• 网络、通信与安全 • 上一篇    下一篇

多协议交叉的HMM协议异常检测算法

吴楚田,陈永乐,陈俊杰   

  1. 太原理工大学 信息与计算机学院,太原 030024
  • 出版日期:2020-04-15 发布日期:2020-04-14

Cross-Protocol Anomaly Detection Algorithm Based on HMM

WU Chutian, CHEN Yongle, CHEN Junjie   

  1. College of Information and Computer, Taiyuan University of Technology, Taiyuan 030024, China
  • Online:2020-04-15 Published:2020-04-14

摘要:

随着网络攻击的不断多样化,现有的协议异常检测工作在准确率和实时性方面面临新的挑战。针对目前的协议异常检测方法只面向单一协议的恶意攻击而未考虑协议之间的关联,提出一种基于HMM的协议异常交叉检测算法。使用多个协议的语义关键词和时间标记来构造报文序列作为模型的训练集,提出协议报文语义合并算法并结合Baum-Welch算法构建多协议交叉的HMM,在序列化协议报文的同时收集子序列重复数来进一步校验HMM对存在大量循环操作的攻击行为的检测。通过在视频监控网络中进行仿真实验,证明该检测算法同现有的HMM异常检测方法相比,可以更准确地检测多种恶意攻击,同时具有一定的通用性。

关键词: 异常检测, 协议行为建模, 协议交叉检测, 隐马尔可夫模型(HMM)

Abstract:

With the diversification of the form of network attacks, the existing protocol anomaly detection work faces new challenges in terms of accuracy and real-time. Most of the current protocol anomaly detection methods only detect malicious attacks from single protocol, but never consider the association between protocols. In this paper, an HMM-based protocol anomaly cross-detection algorithm is proposed. The semantic sequence and time stamp of multiple protocols are used to construct the message sequence as the training set of the model. The protocol-state-merge algorithm and the Baum-Welch algorithm are used to train and generate a complete HMM, and it uses the subsequence repeat number collected from the progress of serialization of protocol message to help the HMM to detect the attacks with a large number of loop operations. Experiments in the IP-camera network prove that the detection algorithm can detect multiple malicious attacks more accurately than the existing HMM anomaly detection methods, and the algorithm also has certain universality.

Key words: anomaly detection, protocol behavior modeling, cross-protocol detection, Hidden Markov Model(HMM)