| In recent years, as the popularization and development of network, the network intrusions are becoming more and more serious, and the security of network is suffering austere challenge. As the main part of network security protection architecture, the function of network intrusion detection is more important, and becoming the keystone and hotspot of research. Network intrusion detection can find the network intrusions and provide protection for network, but as the network bandwidth improving and the network attacks becoming variety and frequency increasingly, the difficulty of network intrusion detection is enhanced, which debases the practicability of IDS greatly. First, the distributed intrusions from multiple hosts make current IDS have too many visitors or business to deal with; second, the large scale network environment increases the difficulty of IDS arrangement; last, variety of attacks and unknown intrusions increase the false alert rate and the missed alert rate, and lower the accuracy of intrusion detection.Aim at this instance, the paper did research on three aspects of network intrusion detection, the network attack model, the misuse and anomaly intrusion detection techniques, and IDS architecture. Detailedly relate to:aim at the security evaluation of target network, construct a network attack graph model bases on reverse search, which can provide guidance for IDS arrangement; aim at enhancing the speed of rule matching in misuse intrusion detection, research and improve the Wu-Manber multiple patterns matching algorithm; aim at lowering the missed alert rate for unknown intrusions, research a super sphere based edge samples filter SVM classifier; aim at how to design the IDS with high expansibility, reliability and usability, research a multiple agents based hybrid IDS model.The research productions and innovations are as follows.1) Provide a network attack graph model generation method base on reverse search. Aim at the questions in traditional attack graph model generation methods, such as too many system states, large state space, complex attack graph architecture and low generation efficiency, through dividing the security level of the hosts in internal network, reverse search mechanism and system vulnerabilities analysis, compresses the system state space effectively, enhances the generation efficiency of network attack graph, and the generated model has simple structure, which can reflect the security of target network excellently.2) Provide an improved Wu-Manber multiple patterns matching algorithm. The Wu-Manber algorithm widely used in misuse intrusion detection exist the following limitations in actual application:bad effect for short patterns; redundant data information and operations; need to traverse the whole suffix link list. This paper analyzed the reasons of these questions, and made improvements to the algorithm. By dealing with short patterns and long patterns respectively, independent data structures, concurrency processing and address filter, resolves above problems effectively. The improved Wu-Manber algorithm demonstrates good performance in network intrusion detection.3) Provide a SVM classifier which uses the supper sphere based edge samples filtering algorithm. Classifier is a kind of important anomaly intrusion detection technique, used for unknown intrusion detection, and that, at the present time, the SVM classifier is the research hotspot for its good generalization ability. This paper aims at the question of large sample set and the affection from the outliers during the construction of SVM classifier, thinking about that the partition result of classifier is mainly determined by the support vectors which occupy a low ratio in the sample set and locate in the edge of the two types of samples, through KNN algorithm and the supper sphere filtering algorithm to abstract the edge samples, which shortens the training time of samples with the generalization ability of classifier guaranteened, when used for intrusion detection, it shows good performance.4) Provide a hybrid IDS model based on multiple agents. The model refers to the architecture of AAFID proposed by Purdue University and makes some improvements to it, and gets better expansibility. In our model, special function module for intrusion detection is designed. It combines the the misuse intrusion detection and anomaly intrusion detection techniques, and lowers the the false alert rate and the missed alert rate of intrusion detection. In addition, the method of multiple attributes is used for property abstraction of intrusions, and the RBF based SVM is used to construct the classifier which enhances the detection accuracy for unknown intrusions. The whole model has excellent expansibility, reliability, stability and usability, and is suitable for the large scale and high speed network.
|
PDF Full Text Request