KDD1999数据集要素排除

Question

我正在使用KDD1999数据集来防止入侵，但我对这些功能有一些问题:有人能给我解释一下或告诉我这些标志的含义吗？以下是KDD1999数据集中使用的标志列表：

'flag' { 'OTH', 'REJ', 'RSTO', 'RSTOS0', 'RSTR', 'S0', 'S1', 'S2', 'S3', 'SF', 'SH' }

以下是KDD数据集记录的示例：

0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,normal.
0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0.00,0.00,0.00,0.00,1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00,0.00,snmpgetattack.

Answer 1

首先，注意数据集是有缺陷的，不应该使用 (KDNuggets statement)。粗略地说有两个原因: A)这根本不现实，特别是对于现代攻击(见鬼，甚至不是1998年的真正攻击！)-今天，大多数攻击都是通过特洛伊木马的SQL注入和密码窃取，这两种攻击都不会被这种类型的数据检测到。B)数据集中是围绕攻击的，所以它由带有一些背景噪声的攻击组成；而实际流量将是大量的数据和一些攻击；C)它是用一个很大程度上虚拟的网络模拟的，只能通过模拟的网络拓扑来检测“攻击”。

从通常的预处理版本的文档判断，标志是连接状态的导出值，即对连接尝试的回复是否是TCP REJ、TCP RST等。