Algorithms And Key Technologies Of Intrusion Detection System

With the rapid development of network, how to ensure the securityof network information becomes more and more important. Intrusiondetection can detect intrusion by monitoring the audit records of thesystem or network flow. As an active security technology, intrusiondetection has been paid more and more attention to.There are two kinds of intrusion detection technologies: anomalydetection and misuse detection. In this dissertation, based on theshortages of anomaly detection and misuse detection, some improvingmethods are proposed individually, a distributed cooperation modelbetween intrusion detection system vulnerability scanner and intrusiondetection system is also proposed.The dissertation first carries a survey of intrusion detection,classifies and analyses the primary technologies and methods used inintrusion detection, points out the advantages and disadvantages ofseveral intrusion detection methods. It also explores some open problemsin intrusion detection technology.In order to overcome the shortages of anomaly detection, likemassive computation, consuming training time and low accuracy ofclassifying in small size of samples, etc., in this dissertation, supportvector machine (SVM) active learning is proposed to be employed intointrusion detection. In the course of training, the support vector machinecan actively choose the learning samples by a query strategy. By the way,it can decrease the amount of training samples and training timeefficiently. This detection method has resolved the problem of how toacquire massive training samples in anomaly detection. Experiments haspresented that compared with SVM traditional passive learning algorithm,the active learning algorithm can not only efficiently decrease thelearning cost, but also can improve the accuracy of the classifier with thesmall size of samples.Redundant features can not only occupy huge storage spaces, butalso can decrease the accuracy of the classifier. In this dissertation, anintrusion detection method based on rough set and support vector machine has proposed. After feature reduction based on the rough settheory, the network flow are sent to the support vector machine totraining the classifier. Compared with the method of ranking andselecting feature by SVM, feature reduction by bough set theory has lesscomputation, and it overcomes the shortage of the subjectivity of thefeature importance criteria. Experiments presented that using this method;it can improve the accuracy of the support vector machine and decreasethe storage spaces of the samples.Pattern match is a misuse detection method that is widely used inintrusion detection system at present, but it has the problems of lowmatch speed, high false alarm rate and pattern library is hardly to beupdated dynamically, etc. In order to resolve these problems, in thisdissertation, a new cooperation mechanism between the vulnerabilityscanner and intrusion detection system are presented. The intrusiondetection system will delete the attack patterns related with this patch inpattern library according to the results of the vulnerability, and add thenew attack patterns dynamically based on the update results ofvulnerability library. By this way, it will decrease the size of patternlibrary, the match time and the false alarm rate., in the mean time, it canupdate the attack pattern library in dynamic On the other hand,vulnerability scanner can start some special scanning to some hosts orsubnet based on the alarm of intrusion detection system, aim at thedetected intrusion, find the related vulnerabilities and patch them. By thecooperation between the vulnerability scanner and intrusion detectionsystem, it can improve the efficient of intrusion detection system andenhance the defense of the system.Based on the new cooperation mechanism, a distributed model ofcooperation system between the vulnerability scanner and the intrusiondetection system has been presented. The system assessments thevulnerability of the system and detects intrusion by cooperation of eachvulnerability Scanner subsystem and each intrusion detection subsystem.It has the characters of high data process rate, low false alarm rate, goodcooperation mechanism, good self-learning ability and high security, etc.At last, the dissertation summarizes the main study works and suggests the research directions in future.