Research On Statistical Detection Methods For Anomaly Network Intrusion Detection

With the popular application in social life, the network intrusion becomes an emergency threat. So it is significant important to detect the network intrusion effectively. The network intrusions are divided into two categories:the detection method based on intrusion features and the anomaly detection. The former is aim to detect the known attack behave and the later is based on the anomaly behaviors of network flows. Both of them are suffered from the high rate of mis-alarm.It is both worthy of paying attention to for the network maintainer whether the network anomaly behave is intrusion or not. This thesis is devoted to detect the network anomaly, not to determinate which attack has happened or even whether it is an attack. The thesis firstly designs a data collection method for the experiment dataset and obtains the statistical parameter features under the normal condition and the intrusion condition. The parameter test method and distance distinguish method are employed to detect he abnormal behave. The experiment results are given based on the famous experiment dataset. The main researches include the following aspects:(1) The network intrusion experiment dataset from Lincoln lab is introduced which is famous and widely used in network intrusion detection system. The famous IDS system snort is analysized and a data collection algorithm is designed based on snort. The network intrusion theorem and the statistical features of these intrusion behave are also discussed.(2) Through the analysis of network intrusion features, the statistical parameters for intrusion behaves are obtained, such as IP flow, ICMP flow, port visited number and so on. The statistical features for normal network flow and abnormal flow are obtained by collecting and analysis of the dataset with the data collection system. With the comparison for the statistical features between that from normal flow and abnormal flow, it is proved that the statistical features selected can indeed reflect the intrusion.(3) The network abnormal behave detection method based on parameter test is presented. The experience distribution for normal network flow is given. When the sample data is distributed beyond the normal range of the experience distribution, it can be deduced to be a abnormal behave. A distance discrimination detection method is presented which can consider several statistical features at the same time. The sample means and covariance matrix under the normal network environment are statistically calculated. The distinguishing between the normal or abnormal behave are based on the distance between test sample with the sample mean vector..