Abstract: Most of current products and models are poor at detecting novel attacks without an acceptable level of accuracy or false alarms. In order to figure out this problem, a network based intrusion detection system is established, and many up-to-date attack tools are used to attack the network. On the basis of the intrusion experiment, 29 variables are chosen as intrusion features to characterize the status of network connection. At the same time, the rough sets theory is exploited as a detector of network connection. The experimental results indicate that the features extracted from network connection are good indicators of the status of network and the rough sets theory is powerful in multi-class classification as well as effective in unknown attack detection.

Key words: Intrusion detection system (IDS), Rough sets, Indiscernibility, Discretization, Data reduction

摘要： 为解决目前大多数入侵检测产品或模型对未知攻击的检测都存在精度低或者虚警率高的问题，建立了一个基于网络的入侵检测实验平台，使用了多种新的攻击工具实施攻击；并在此基础上提取了网络连接的29项实时特征；应用粗糙集理论实现了一个网络连接的检测器。经实验表明，所选取的网络连接特征能较好地反映网络安全状况，粗糙集理论应用于多类分类问题和未知攻击的检测方面是有效的。

关键词: 入侵检测系统, 粗糙集, 不可分辨关系, 离散化, 数据约简

CLC Number: 

• TP393