Network Intrusion Detection System, Key Technology Research

With the popularity of computer and network, people enjoy the conveniences given by these advanced technologies. But at the same time, people are always exposed to the risk of malicious attacks. Because of the popularity of network, it will bring great damage when happens purposive and large scale intrusions. As one of the key methods to protect the network security, intrusion detection technology has been paid more attention to both in home and abroad. We require better performance of intrusion detection technology because of the spread of network, increasement of network traffic and the development of hacker technology. In order to increase the detection accuracy, decrease the false positive and false negative and improve the detection efficiency, the dissertation focuses on the intrusion detection technology, alerts correlation technology and structure of distributed intrusion detection systems and propose some innovative solutions as the following.1. In the aspect of two-class intrusion detection technology, two methods are proposed.1) We propose an intrusion detection technology which combines conditional entropy genetic algorithm (CEGA) and support vector machine (SVM). According to the characters of intrusion detection, we propose CEGA to do the feature extraction and design the new genetic individual, fitness function and adaptive crossover and mutation probilities. At the same time, we combine the optimization of feature extraction and SVM classification model. At last, we analyze the convergence of CEGA. The proposed intrusion detection technology can guarantee the high classification accuracy and detection efficiency for different types of malicious attacks.2) An intrusion detection technology is proposed which combines the kernel fisher discriminant analysis (KFDA) and SVM. In the proposed algorithm, KFDA is used to extract the optimal discriminate vectors. Meanwhile, SVM is adopted to classify the projected data. A mixture of kernels based heterogeneous value difference metric (HVDM) is proposed according to the high dimensional and heterogeneous datasets acquired in the intrusion detection. The projected data after KFDA are easy to separate, so the proposed method can get low false positive and false negative and decrease the training time.2. In the aspect of multi-class intrusion detection technology, two methods are proposed.1) We propose an intrusion detection technology which combines KFDA and multiclass support vector machine (MSVM). We use the distances between different types of data center after KFDA to construct the binary tree in order to extend the two-class SVM and realize the multiclass intrusion detection. When we construct each two-class SVM classifiers, we first use KFDA to do the feature extraction and then construct the SVM classifier based on the projected data in order to improve the accuracy of each two-class classifier. Because we construct the reasonable binary tree, avoid the error accumulation and increase the detection performance of each two-class detection model, the proposed method can improve the detection accuracy especially on the U2R and R2L attacks as well as increase the detection efficiency.2) A multiclass SVM intrusion detection technology is proposed which combines the KFDA and fuzzy cluster. According to the characters of intrusion detection, the boundaries between malicious activities and normal activities and the boundaries between different malicious activities are always not clear. So we use fuzzy cluter algorithm to cluster the projected data after KFDA, and then use the information provided by the partition matrix to construct the optimal binary tree to realize the multi-classification. Because the fuzzy logic can express the relaitionship between the intrusion data, we get higher classification accuracy and decrease the false positive and false negative.3. In the aspect of alerts correlation, we propose the alerts aggregation algorithm based on multiplicative increase linear decrease (MILD) to aggregate the alerts, get rid of the redundant alarms and avoid the alerts flooding. In order to detect multi-step attacks and reduce the impact of the false positive and false negative, we propose the alerts correlation algorithm based on Dempster-Shafer (DS) theory and goal graph. According to the characters in the domain of network intrusion-protection operations, we set up the intrusion-protection model and build the attack plan goal graph. In the procedure of attack plan recognition, we use DS theory to correlate the alerts from different intrusion detection systems in order to validate the action nodes to be extended and then extend the goal graph to get the attack plan.4. In the aspect of distributed intrusion detection system structure, we propose the intelligent grid intrusion detection system (GIDS). We deploy the intrusion detection systems on the grid environment to inherit the distributed character of grid. And we propose the concept that intrusion detection technology is a kind of resource and this kind of resource can be adaptive to the different network environment. In order to realize load balance, a scheduling strategy is used based on the resource performance value. The GIDS, which fully exploits resources in the grid and realizes load balance, has high effectiveness in detecting the malicious attacks under heavy network traffic environment.Through the research of four aspects, we provide the fine solution for improving the performance of intrusion detection system.