I 摘 要摘 要 随着网络技术的迅猛发展，网络环境变得越来越复杂。对于网络安全来说，单纯的防火墙技术暴露出明显的不足和弱点。为了弥补防火墙的不足，为网络安全提供实时的监测和防护，入侵检测系统应运而生。纵观国内外相关研究可知，现有的入侵检测系统普遍存在一些弊端，主要表现在：入侵检测虚警率太高，检测速度太慢，不能检测未知类型的攻击，对精巧及有组织的攻击不能做出精确的判断等问题。 基于分布式数据挖掘的入侵检测系统(DM-IDS)是针对上述弊端研制的一种新型入侵检测系统。该系统共由两个部分组成：数据挖掘的客户端（Client）和数据挖掘的控制台(Console)。数据挖掘的客户端利用分布式数据挖掘技术从大量的历史数据中提取有用信息，数据挖掘的控制台通过建立入侵规则库与正常规则库之间的比较生成新的检测规则，从而构成一个动态可扩展的实时入侵检测系统。 数据挖掘控制台在应用层的实现，采用动态添加、删除新老规则的机制；数据挖掘的客户端在内核层的实现，采用了基于 Risk-sensitive 原理的入侵决策模型和基于数据挖掘的异常入侵检测技术。两者结合形成一个适用于分布式环境的动态安全入侵检测系统。 通过对系统进行攻击识别、系统性能等方面的测试，可以得出如下结论：各主机只负责处理对本机的攻击，因此可以快速检测入侵；通过数据挖掘将异常检测技术引入系统，检测未知模式的入侵行为；引入基于 Risk-sensitive 理论的入侵决策模型和基于 Outlier theory 的入侵检测技术有效地降低了虚警率； 基于分布式的数据挖掘减少了对网络资源的占用；通过动态添加新规则到入侵规则库，从而使本系统具有实时检测和动态扩展的能力。 关键字：关键字：入侵检测系统；虚警率；数据挖掘；误用入侵检测；异常入侵检测； 全局响应；动态负载均衡IIAbstract With the rapid development of network technology, network environment becomes more and more complicated. Focusing on the network security, obvious deficiencies and disadvantages have been exposed in single firewall technique. To make up deficiencies of firewall and provide real-time inspection and protection for the network, intrusion detection system (IDS) emerges as the times require. According to related works of the world, current IDSs have some disadvantages: IDSs own low intrusion detection rate and high false alert rate; IDSs can not deal with the unknown attacks and make exact determination for artful and organized attacks. The Intrusion Detection System Based on Distributed Data Mining（DM-IDS） is proposed to solve these problems. It consists of two parts：Data Mining Client and Data Mining Console. The client picks up useful information from vast history data by using data mining techniques and the console builds new detection rules by comparing the intrusion rule database with the normal rule database. DM-Client and DM-Console compose a dynamic and extensible real-time intrusion detection system. Console is implemented in the application layer, using the mechanism of dynamic adding and deleting rules. Client is implemented in kernel layer, using intrusion decision-making module based on Risk-sensitive theory and abnormal intrusion detection techniques based on data mining. The combination of Console and Client forms a dynamic security intrusion detection system for distributed environment. From the experiment that evaluates the system performance, we can make the following conclusions. Each node only processes the intrusions to itself, so it can detect intrusions in real time. Abnormal detection techniques are applied to our system, so DM-IDS can detect novel attacks. Intrusion detection techniques based on Risk-sensitive theory and Outlier theory can reduce the false alert rate to minimum. DM-IDS reduces the utilization of network resources. This system can dynamically add new rules to intrusion rule lib, which makes it real-time detection and dynamic extension. Keywords: Intrusion Detection System; False Alert Rate; Data Mining; Misuse Intrusion Detection; Abnormal Intrusion Detection; Global Response; Dynamic Load Equilibrium目 录 目 录 摘 要摘 要.I ABSTRACT.II 1. 绪 论. 1 1.1 入侵检测系统概述. 1 1.2 数据挖掘技术概述 . 4 1.3 相关概念 . 5 1.4 本文的框架结构 . 6 2. 系统架构与工作原理 . 7 2.1 传统入侵检测系统的局限性 . 7 2.2 系统体系结构. 8 2.3 模块划分与工作流程 . 10 2.4 系统主要模块的功能指标 . 12 2.5 数据挖掘在系统中所处的位置和作用 . 14 2.6 小结. 14 3. 系统设计难点与关键技术 . 16 3.1 原始数据收集. 16 3.2 数据挖掘技术在系统中的实现 . 17 3.3 系统原型的训练. 19 3.4 小 结. 19 4. 数据挖掘控制台的设计与实现 .