| Intrusion detection technology collects a number of key points in the information ofcomputer or network, to monitor the computer or network operation system to attempt to find avariety of attacks, aggressive behavior or the result of the attack. Intrusion detection has two maintypes of detection techniques: misuse detection by detecting the user's behavior with a knowninvasion of a pattern of behavior to match the identification of the invasion; Anomaly detectionthrough the normal behavior of legitimate users of the learning samples from the normal patternof behavior was found, when detected with the pattern of behavior does not match, they identifiedas the invasion.Anomaly detection which can find as a result of the invasion of the unknown acts has beenextensively studied. However, anomaly detection has a high false alarm rate, which is exhaustedas a result of the system can not be normal behavior for all users, resulting in loss of informationcaused by the miscarriage of justice on the normal behavior. Frequent miscarriage of justice, itwill reduce the security administrator of vigilance, and even affect confidence in a detectionsystem. In misuse detection, there are a class act is due to the misuse of legitimate users of thesystem caused by improper use. Since the user does not have the invasion attempt, the act doesnot pose a threat to system security. However, such incidents occur frequently and have the sameadverse consequences of false positives. Control the occurrence of the above two cases is studiedin this paper to achieve.Characteristics can not be obvious in the circumstances, taking into account the time theinvasion is not possible to rely on individual acts which will be able to achieve. Usually have topry experience, access to the cover of sexual identity, to seize control over the implementation ofthe destruction or theft of resources, as well as cover up the traces of many stages of the invasionto collaboration. Therefore, the inevitable process of invasion and the invasion of many of theacts relevant for the purposes of this paper, this feature will act as the relevance of the invasion.Based on the characteristics of anomaly detection for abnormal behavior in users, can not beidentified in a clear case of invasion characteristics, in order to prevent false positives, byanalyzing the user over a period of time the existence of an act of follow-up abnormal behaviorand support the implementation Heuristic algorithm based on the characteristics of the actual situation is that it can producean acceptable solution. Acts as both an exception may be lawful, but also may be an act oftrespass. The needs of various relevant factors based on the scene to determine the changes. Thispaper described the heuristic algorithm behavior on the course of follow-up analysis. Algorithmhas been improved from the traditional simulated annealing algorithm; the purpose is to make theabnormal behavior and normal behavior have an impact on the implementation of the algorithm.Rather than the traditional algorithm be influenced only through reducing temperature. Two typesof behavior on the results of the combined effect of algorithm, reflecting the abnormal behaviorof the follow-up tend to act more normal user behavior, or with enough of the characteristics ofthe invaders, so that the user whether the intruder. Use of the algorithm, an analysis found thepresence of abnormal behavior and other acts of each other to the possibility of invasion of thesystem. We reduce false positives by improved identification of intrusions. |
PDF Full Text Request