1

我正在使用 KDD1999 数据集来防止入侵,但我对这些功能有一些疑问:有人可以向我解释或告诉我标志的含义。以下是 KDD1999 数据集中使用的标志列表:

'flag' { 'OTH', 'REJ', 'RSTO', 'RSTOS0', 'RSTR', 'S0', 'S1', 'S2', 'S3', 'SF', 'SH' }

这是 KDD 数据集记录的示例:

0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,snmpgetattack.
4

1 回答 1

2

首先,请注意数据集有缺陷,不应使用KDNuggets 声明)。粗略地说有两个原因:A)它根本不现实,特别是对于现代攻击(哎呀,甚至对于 1998 年的真正攻击!) - 今天,大多数攻击都是通过木马的 SQL 注入和密码盗窃,两者都不是用这种数据可以检测到。B)数据集以攻击为中心,因此它由带有一些背景噪声的攻击组成;虽然实际流量主要是数据和一些攻击,C)它是用一个主要的虚拟网络模拟的,你只能通过模拟的网络拓扑来检测“攻击”。

从通常预处理版本的文档来看,flags 是连接状态的派生值,即对连接尝试的回复是否为 TCP REJ、TCP RST 等。

于 2013-06-10T21:32:21.383 回答