| With the increasing complexity of computing network environment,the traditional intrusion detection methods under the mass data have the shortcomings of limited processing capacity and single point failure.The intrusion detection method based on provenance graph and path is not suitable for streaming data in big data environment.Too long provenance path will not only increase the detection time,but also lead to the decrease of detection rate and the increase of false alarm rate.According to the provenance model,the relationship between processes and system calls is highly abstracted,thereby extracting process features and using kNN(k-Nearest Neighbors)algorithm for detection without integrating provenance graphs,thereby improving the ability to process streaming data in big data environments.The method performs pre-processing construction test set on the collected provenance information to reduce the space overhead caused by the provenance information itself.For the distributed mass data environment,Kafka message distribution system is used for message distribution to improve the detection efficiency.A distributed intrusion detection method based on OPMkNN is proposed to improve the detection rate and reduce the false alarm rate.Using the characteristics of provenance graph can obtain the source of the vulnerability by analyzing the intrusion path.From the test results,this method improves the accuracy by 0.4%~15%,and reduces the detection time by 63%~71% compared with the intrusion detection method based on the provenance graph and path.Compared with the sliding window algorithm based on provenance,it improves the accuracy by 59%~80%,and reduces the detection time by 98%.The results show that the method has better detection function and higher detection performance and the overhead of provenance information is within the acceptable range. |
PDF Full Text Request