Research Of Key Intrusion Detection Techniques Based On Anomaly Analysis

With the rapid improvementof computer network and technology, computer intrusion actions are rising year by year, which seriously threatened all kinds of computer system development and application. There are so many network attacking methods, and the intrusion skills are also updating. Therefore, current passive network security mechanisms such as firewall are insufficient for many attacks. From one side, as an active defense technique, intrusion detection technology can fill the insufficient of traditional security technique. Yet its research is not enough for the time being.This paper summarizes current actuality of intrusion detection research, concludes hacker's attacking methods and techniques, analyses the main technology, methods and system structure, points out the facing problems of intrusion detection technology and the direction of future study. Several key theories and methods are studied and relating experiments are made.The main works of this paper are as following:Adopting uniform approximation an d Fourier transform to analyze auditing information, features are acquired from structural data collection. This method combines space transformation, function approximation and data filtering. After transforming the auditing data from one observing space to another, an uniform approximation method is used to suit auditing data. Then important features are selected using filtering method.From the angle of mending the unprecision problem of detection rules, a fuzzy study model is created for network intrusion detection system. First we have proved the equivalence relation of the intrusion actions in the noise environment. From the origin features of the existing intrusion detection system, we have created weight-based fuzzy detection rules. And a feedback study algorithm is proposed, with which we modify the fuzzy detection method to get the optimal results of recognition. This model can be easily applied in all kinds of existing value-based intrusion detection systems.A model, recomposing the state transition (ST) method with an immune genetic algorithm, is presented. In this model, ST method can be expressed in a double DNA chains pattern. The double twisting chains form a state-action sequence to represent the system state transitions. In a distributing way, this model can be effective insearching the intrusion detection rules in a big searching space.Stationary Markov theory has its shortcoming of incorrect assumption, which affects its intrusion detection ability. So that, a Window Markov chain model is brought forward, and based on which fuzzy measurements have been introduced. In Fuzzy Window Markov(FWM) model, states in the time window have different fuzzy evaluation value to indicate the probability to be the next state of time t. Comparing with Stationary Markov model, FWM model can counteract the disturbance of noise in a certain extent, thus has better anomaly detection ability.From the receiver as source, computer network is converted to a field, the receiver is the field source, and the packet frequency (packet number in a fixed time) sent to the receiver in a router is converted to the divergences of the field. On these grounds, the Defending Alliance Protocol (DAP) is proposed, which is used to perfect the spacious audit information to enhance the performance of IDS. The reason for establishing the protocol, the protocol content, the data form and the basic service primitives are demonstrated. The DAP is composed of the conception of security coefficient in receiver, the protocol between neighbors and receiver (NBDAP), and the protocol between network management centers (NMC) and receiver (MCDAP). The security coefficient in receiver is that the percentage of the sum of divergences in the neighbors of receiver divided by the buffer capacity in the receiver. It's explained that how to obtain and send the spacious audit information in neighbors to the receiver in the NBDAP. It is also explained that how to authenticate truth of the connection between sender and receiver using NMC in the MCDAP. The relationship between NBDAP and MCDAP is analyzed. The basic service primitives demonstrate the services of DAP, and stipulate transmitting information through service access points. The self-security in DAP is simply analyzed.