Optimization Of Intrusion Detection System Based On Behavior Pattern

The intrusion detection system of XX unit realizes the monitoring of the activities of users and systems,realizes the distribution of different load levels and dynamic threshold of different devices,and realizes the emergency treatment of intrusion behavior through the management of emergency response.By collecting the information obtained from the log to detect intrusion behavior and other basic functions,it is found that there is a lack of correlation analysis of vulnerability state in the system,and the single function and compatibility of the equipment are limited by the existing inventory equipment and so on.In this paper,the current situation of network management in XX units is analyzed,and the association analysis and clustering model in machine learning are introduced to optimize and perfect the intrusion detection system.The specific work and contributions are as follows:(1)System requirement analysis and design.According to the detailed requirements,the functional modules and database tables of the system are designed respectively.The system framework is constructed according to the three-tier architecture design pattern,and the intrusion detection system is realized by using the programming language Python,Django(Python Web framework),MTV and database technology.(2)The typical function realization of the system.The system realizes the monitoring and detection of user and system activity,event log,CPU overload log and connection overload,and realizes anti-ARP spoofing with the help of gateway MAC address setting.Based on the detection of managed link data,the monitoring of basic link communication is realized,the comprehensive intrusion detection is realized by combining the third party IDS feature library,and the necessary emergency measures are taken to deal with the discovered intrusion with the help of emergency area.(3)Data analysis technology.Combined with historical data,the mining of strong association pairs between source port and destination IP address based on Apriori association rules is realized in order to improve the detection speed of network intrusion behavior.Based on K-Means clustering,the typical types of event log are divided to reduce the misjudgment rate and false alarm rate of network intrusion detection.