CAJ | 학술논문

为了提高入侵检测率，降低误检率，提出了一种基于状态协议分析技术的扩展有穷状态自动机（EFSA）入侵检测模型，该模型通过构建一个EFSA来描述攻击的状态转移和变化，EFSA模型可用一个六元组表示，即M=（P,Q,Σ,W,q0,F）。通过建立该模型，一方面将接受到的数据包映射为协议状态的转换从而建立有穷状态自动机，根据被检测数据是否被自动机接受来判断攻击的存在。另一方面将待检测数据按协议分流，从而提升检测精度，减小模式匹配计算量，提高检测率。实验选取KDD CUP99做测试数据集，经测试结果表明基于EFSA模型的入侵检测方法较之基于五元组自动机检测模型具有更好的检测率和更低的误检率。
위료제고입침검측솔，강저오검솔，제출료일충기우상태협의분석기술적확전유궁상태자동궤（EFSA）입침검측모형，해모형통과구건일개EFSA래묘술공격적상태전이화변화，EFSA모형가용일개륙원조표시，즉M=（P,Q,Σ,W,q0,F）。통과건립해모형，일방면장접수도적수거포영사위협의상태적전환종이건립유궁상태자동궤，근거피검측수거시부피자동궤접수래판단공격적존재。령일방면장대검측수거안협의분류，종이제승검측정도，감소모식필배계산량，제고검측솔。실험선취KDD CUP99주측시수거집，경측시결과표명기우EFSA모형적입침검측방법교지기우오원조자동궤검측모형구유경호적검측솔화경저적오검솔。
In order to improve intrusion detection rate and reduce false positives rate, an extended finite state automata (EFSA) in?trusion detection model is proposed, which is based on state protocol analysis technology.This model is constructed by a EFSA to describe attack state transition and change, and EFSA model can be used a six tuple that said, M=(P, Q,Σ,W, q0,F). Through the establishment of the model, on the one hand, it will receive the data packet mapping for the conversion of protocol state in order to establish the finite state automata, according to the detected data is accepted by the automaton to judge the existence of an at?tack. On the other hand, the data to be detected according to the protocol of shunt, so as to enhance the detection accuracy, re?duce the pattern matching calculation amount, and improve the detection rate. The experiment selected KDD CUP 99 test data sets,and the test results show that the method of Intrusion Detection Based on EFSA model comparing with five tuple automaton detection model has a better detection rate and lower false positives rate.