Study Of Intrusion Detection Channel Model

With the development of the network, the security problem becomes more and more important. Intrusion Detection (ID), being a critical field of network security, has made a rapid progress in short dozens of years since the 1980. But due to the increase of complexity of network and the popularity of hack tools, there are still some problems, such as lower detection rate, magnanimous of processing data, lack of theoretic support and so on. These problems limit the application of ID in practice.Our work is started from the search of the therotical support of the Intrusion Detection. The Intrusion Detection Channel Model was established. The criterion and the method of feature selection are studied to reduce the ID source data based on this model. In order to increase the correctness, the multilevel Intrusion Detection system using SVM classification method is designed. The detection methods which need no training based on kernel method are discussed. The main work are summarized as follows1. The Intrusion Detection Channel model are established. From the viewpoint of information transmission, the intrusion detection process can be considered as two cascade channels which are collecting data channel and analyzing data channel. The definitions of two Channels,feature set and knowledge set are given. The correct detection premise is studied base on data processing theory. The difference set of feature set and knowledge set is defined. The two detection situations which are correct detection and wrong detection are analyzed with the emphasis on the channel characteristic,expression of wrong rate and information loss under three case of wrong detection situation. This simple channel model describes the complex intrusion detection process and abstracts the substance of detection. It is not only simple and understandable, but also provides a new way to study many problems in the Intrusion detection field.2. Analyzing the Collecting Data Channel model, the criterion of feature correctness based on entropy is presented. The characters of features are analyzed according to the criterion. The emphases are put on the study of feature selection based on entropy criterion. Selecting features based on entropy criterion not only make the selection independent of detection method, but also guarantee the selected feature containe as much system activity information as the original data do. Thus it is more superior to traditional ones based on the detection rate of one certain detection method.3. The immune Intrusion Detection Systems based on SVM are designed. The compare of the Analyzing Data Channel with statistical learning is made. Under the condition of small samples, the detection methord using the SVM is presented. The multilevel protection structure is studied according to the nature immune system. Merging the SVM detection method and multilevel structure, the immuce intrusion detection system based on SVM is designed. The detection method based on SVM improves the correctness. The multilevel protection structure has the advantage of completeness. Thus the performance of the IDS can be improved. The Immune Intrusion Detection based on SVM consists of four subsystems: Outside connection Network Intrusion Detector, Inside connection Network Intrusion Detector based on SVM, Host Intrusion Detector based on SVM and System Intrusion Detector based on SVM. The last two Detectors are developed and simulated.4. The detection methords using the kernel_based classification algorithm which need no training are presented. The indirect space mapping idea is presented to search the space where the heterogeneous intrusion detection data are lined classified. The way of using kernel function to realize indirect space map is studied. The kernel methods of Kernel Nearest Neighbor Kernel Clustering and Ratio of Kernel Center Distance are introduced. The system frame and working process of IDs baded on kernel methods are studied. The there kernel method above and their application in intrusion detection are discussed in detail. The simulation results shows that detecting intrusion using kernel methords are superior to tranditional ones. The compare of these kernel methods with SVM are made. The application circumstances are analyzed. For the Ratio of Kernel Center Distance method has good generalization ability and needs no training, it is more suitable in small sample detection condition.