Study On Data Mining Based Intrusion Detection Approaches And System

Intrusion detection system (IDS) plays important roles in the information security architecture. The computer criminal is more and more pressing and dangerous nowadays, which poses urgent demands on the performance of IDS. The big shortcoming of current IDS is unable to detect intrusion behavior quickly when facing large amount of audit data, unable to detect new type of attacks, and high false positive rate which influence greatly the performance of IDS. A new intrusion detection approach was put forward in this dissertation and a Network-based Anomaly Intrusion Detection System (NAIDS) was implemented based on those approaches.Based on the detailed and comprehensive study on data mining based intrusion detection techniques, NAIDS apply the association rule and classification techniques into detecting intrusion behavior among network audit record from a new perspective. Aspect to association rules mining, constructing two mining modes: static mining and dynamic mining; implementing two level mining: single-level mining and domain-level mining. About classification engineering, the mainstream classification techniques were compared through thoroughly experiments, and some improvement was made to decision tree toward the concrete problem, which make NAIDS detect some new type attacks and this kind of capability embodies the advantage of anomaly detection over misuse detection; incremental mining approach was put forward which detect one window data amount, instead of batch of tcp/ip record, which was very suitable to on-line mining and make NAIDS be high real-time performance.Research work on data mining based intrusion detection approaches which has been done belongs to the field of misuse detection in nature, association rules and frequent episodes mining aim to describe the intrusion signature, the ruler classifier was used to mainly detect intrusion behavior. NAIDS is the first data mining based anomaly detection system, the first intrusion detection system which lower false positive rate by classification engineering, the first intrusion detection system which put forward sliding windows techniques to carry out incremental, on-line mining. In principal, dynamic sliding window make NAIDS have the ability of real-time detection; classification engineering make NAIDS keep lower false positive rate, so in this sense, the approaches put forward in this dissertation can solve the most pressing problem faced by current IDS to great extent. A large amount experiments on DARPA 1998, 1999 was carried out and the validation and effectiveness of our approach were verified, which has guidance significance toward the following research work. Finally, the intrusion taxonomy was summarized in a systematical way, and the performance of NAIDS toward every type of attacks was given too. In general, NAIDS has better performance in detecting denial of service attacks and probe attacks.