Research On The Protocol Anomaly Detection Based On Markov Chain

Open Internet provides great convenience for information sharing and interaction, but the subsequent problem of network security is increasingly obvious. Intrusion detection is a kind of network security technology used to detect any behavior that will damage or attempt to damage system confidentiality, integrality or availability. As an active measure to safeguard information security, Intrusion Detection effectively make up the defect of traditional security technology.In fact, a lot of network attacks are to abuse different network protocols and several new attacking methods violate the protocol standard. Protocol anomaly detection is a new technology for intrusion detection. It aims to set up a model for proper use of protocols and any behavior that departs from the model will be regarded as an intrusive or suspicious one.Firstly, this paper is to set up models for application layer protocols (mainly about FTP and SSH) of TCP/IP network by Markov Chain. The test data in it is from intrusion detection evaluation dataset of Year 1999, issued in public by Lincoln Laboratory of Massachusetts Institute of Technology in U.S.A., which is of great authority. The analysis in this paper is in accordance with the traffic without attacks in the dataset (the first week and the third week, ten days total), so as to obtain application layer protocol model based on Markov Chain under normal condition.Secondly, the paper makes protocol anomaly detection and evaluation on the application layer in advantage of above-mentioned application layer protocol model. The evaluation dataset is composed of attacks (the second week) provided by Lincoln Laboratory. Any behavior that departs from the protocol model under normal condition will be regarded as intrusion and will be analyzed by curve ROC and Di(t).As to transport layer, the paper is firstly supposed to set up the TCP protocol model by Markov Chain and to make protocol anomaly detection evaluation, during which, it finds out some problems about the original evaluation measure and goes on to put forward a new evaluation measure for protocol anomaly detection of transport layer based on Chi-square Distance. Meanwhile, it verifies the validity of the new measure by detecting SYN Flooding attack.Finally, in accordance with the characteristic of separate layers in TCP/IP protocol, the paper puts forward a design project for original system of protocol...