| With the changing and concealment of the intrusion forms, the traditional security techniques and devices of network can't prevent network intrusion. For instance, actual commercial intrusion detection system almost adopts the matching technology which is based on the known rules of intrusion. The engines are on the network or computers need to be monitored, they detect network intrusion independently. The central management and control platform of IDS only take charge of platform configuration, detection engine management and detection results' show of every detection engine. But it's lack of the cooperation analysis of the detection data of every detection engine. IDS, firewall and anti-virus software work independently, it's difficult to make the right judgement to the complicated attacks.Anomaly intrusion detection technology determine whether there is intrusion based on user's behavior or the situation of resources using, which is more common but the rate of mistaken detection is too high. Misuse detection uses known attacks and the defined intrusion models, detect attacks according to the judgement of appearance of the intrusion models. This method has high accuracy, but the system is too dependent, the detection range is limited to the known knowledge.The application of data mining in the intrusion detection system is an important direction of intrusion detection research. The paper gives a detailed discussion about intrusion detection agents based on data mining. It presents an important research trend of combining more data mining means and using data mining with misuse detection and Anomaly detection.The paper presents the improved association analysis algorithm based on FP-Growth, FCM network intrusion detection technologies based on statistical binning, Immunological mix intrusion detection technologies. The improved FP-Growth algorithm introduced a kind of single linked lists named aggregative chain. Only the pointers to point its children at each node are kept to save the space of tree. The algorithm increases the speed of mining speed, improves the execution efficiency of IDS and the accuracy of rules. FCM network intrusion detection technologies based on statistical binning need not update the clustering center frequently, and not costs time. Combining character matching with FCM based on statistical binning can find the new intrusion and update the detection rules. Immunologic system represents many complicated information processing abilities such as identification, study, memory, variety, adaptability, fault tolerance and distributed detection. Immunological mix intrusion detection technologies bring these abilities into full play, have great application foreground.The thesis analyzes the main problems on the detection performance, the system's robustness and adaptability of the network intrusion detection technology, then discusses its trends. The current commercial intrusion detection system almost does nothing in the data analysis cooperation, the update of rules lags, the detection technology and the intrusion changing don't match. According to the status quo, the distributed network intrusion cooperation detection system model based on data mining (hereinafter referred to as "cooperation detection system") is proposed. The model achieves the cooperation of the intrusion detection system on structure, function, action and disposing by using data collection cooperation, data analysis cooperation and system response cooperation, which strongly improves the detection capabilities of the intrusion detection system.The present paper gives a detailed discussion about the design of detection engine, communication module and system cooperation design in co-stimulate intrusion detection system. Detection engine which involve packet capture, data analysis and intrusion detection is the principal part of the system. Using Libpcap to capture packet may bring the status of losing packet and system collapse in high-speed network which has informative data and in real time. The new capture packet technique the paper given is memory-mapped and Napi. The new technique effectively reduceds the memory copy from system kernel to user space and avoids the Interrupt Livelock in the situation of heavy Load. It insures the real time and accuracy the situation of high-speed network.Data Resolution first analysis the packet head of data-link layer, IP layer, transport layer and the protocol of application layers, and then do the data pretreatment; On this basis we use improved FP-Growth algorithm to mine net data, detect sub module explanation and assesses the mode which mined by data mining module, then send the data to feedback port. Communication module give the communication mode and related functions between data acquisition parser and data miner, detection engine and alarm Optimizer, alarm Optimizer and centre control platform.System cooperation design is the characteristic of this system. In this paper, it give the meaning, principle, method and implementation process in most aspects, such as data mining co-stimulate in intrusion detection system, co-stimulate in intrusion detection system and Vulnerability scanner system, co-stimulate in IDS and antivirus system, co-stimulate in IDS and switching, IDS and firewall, and so on,Offline and simulation system experiments show that the comprehensive application of the three algorithms can effectively improve the detection efficiency and reduce the rate of misinformed and the rate of underreporting. The co-stimulate intrusion detection system which has good intrusion detection performance can stably work in the situation of intranet, detect the intrusion and record the detailed information of attack.
|
PDF Full Text Request