A Model Of Distributed Intrusion Detection Based On Association Analysis

Along with the rapid development of Internet, Network security has become more and more important. As the diversification of network intrusion means, traditional firewall technology is not enough to protect the entire network security system, intrusion detection technology comes forth at the appropriate time and it has become a very important research area in the computer security.Although traditional intrusion detection system plays an important role in the middle and small scale network system, it faces new challenges in the scalability and detection efficiency with the expansion in network bandwidth and the complex means of attack. Using the advantage of distributed technology, a new model of distributed intrusion detection is proposed which can effectively solve the problems of lose packages and single-point failure in traditional model, using association analysis to mining new rules from log database, realize that automatically update the rule database.Along with the key technology in intrusion detection and data mining is analyzed, how to classify intrusion detection system and each model's characteristics is expounded behind, and the advantage of distributed detection model is pointed out; some methods of data mining are expounded and the application of these methods in intrusion detection systems are pointed out.Through introducing association analysis technology in the data mining into intrusion detection, a model of distributed intrusion detection based on association analysis is pointed out; the model is designed with hierarchical and modular. Two layers have been divided in the model: one layer is front-end node for independent detection, another level of background centralized control for data association analysis. Front-end node not only has host-based anomaly detection model, but also network-based misuse detection model. These nodes are flexible; they cooperate mutually to discover distributed intrusion, back-end is used to find new rules and intrusions from log database.The experiment result shows that, proposed model has a good scalability and effectually decrease false alarms rate and missed alarms rate.