Research On The Key Technologies Of Intelligent Network Intrusion Detection System

One of the main developing directions of the Intrusion Detection System (IDS) is to use Artificial Intelligence (AI) techniques to construct intelligent IDS. This dissertation focuses on the key techniques of an Intelligent Network Intrusion Detection System (INIDS), which include data collection and information presentation, data preprocess, static modeling techniques, dynamic updating techniques etc. we also describe the designing and realization of a prototype system. The research contents and the innovation of the dissertation are as follows.(1) We analyze the principle of data collection, measurement selection and construction for the INIDS. We also analyze the information sufficient condition from both example size and measurement size aspects. This is the most important foundation of constructing a high performance INIDS.(2) We propose a new definition of relevant features integrated with strong relevance and incremental useful relevance. Under this new definition, we design a novel optimal Feature Subset Selection (FSS) algorithm named SRRW based on the genetic algorithm and the Wrapper approach. Compared with the existing FSS algorithms, the new SRRW algorithm performs much better on data reduction and modeling accuracy.(3) In order to obtain more confident detecting result, we design a new double profile hybrid detection method which integrates a rule based classifier and a Naive Bayes classifier. Its output is more confident than the traditional single profile detection method.(4) With the study of the system's apperception ability to attacks, we propose a new static modeling method for INIDS: Concept Level Misuse Detection (CLMD). This new method resolves the shortcoming of traditional misuse detection and can detect more attack instances including those belong to new attack types. CLMD has been applied for a Chinese patent (A New Hierarchy Intrusion Detection System Based on Relevant Features Clustering, Chinese patent: 03137094.2, June 18,2003.).(5) To resolve the problem of the system's inability of automatic updating, we propose a new Intrusion Detection Model Dynamic Updating Algorithm (IDMDUA) based on multi-view and Co-training method. The IDS applying IDMDUA can update the detection model using new information at the detecting stage, and reduce the effective life time gap of new attacks.(6) With the support of those key techniques, we design and realize an INIDS prototype under Linux OS. Many of these distributed placed INIDS nodes, each of which has the ability of self-learning, can form a large scale distributed learning IDS. We design the system's framework and analyze the problem of rule set fusion.