| With the rapid improvement of the computer and technology, more and more routine and business depend on internet. At the same time, computer intrusion actions are rising year by year, which seriously threatended all konds of computer system development and application. So how to develop an efficient algorithm to detect the anomaly can not be avoid. Since kinds of attacks to emerge one after another and new attack to turn up, the traditional firewall is hard to detect. Intrusion detection is an active defense technology, which is regared as the complement for the shortcoming of the traditional security. Most of the researchers are focus on the intrusion detection area. With the development of the network scale and the increasement of the network traffic and new attack technology, it needs a high performance of the intrusion detection system. This paper focused on enhancing the accuracy, reducing the false positive and false negative, automatic response. And main achievements are as following:1) We take the intrusion detection as a pattern recongnition problem, that is, use the network traffic feature and audit records to identify the normal and anomaly. Support Vector Machine has a good performance under small scale space for anomaly detection, but the samples of redundant features take much more space and affect the performance of the SVM. This paper proposes a new SVM model with a weighted kernel function based on features of the training data for intrusion detection. Rough set theory is used to perform the feature ranking and selection tasks of the enhanced SVM model in order to take advantage of both SVM and rough set theory. Based on the feature ranks resulting from Rought set theory, a new algorithm is developed to calculate the feature weights in a kernel function for the enhanced SVM model. The experiment shows that the proposed model outperforms conventional SVM in precision, computation time and false negative rate. It makes a possibility to construct online intrusion detection.2) The basic idea of the anomaly detection algorithms build models of normal behavior and automatically detect any deviation from it. Construction of effective normal profiles for anomaly detection require learning process which can be updated continuously and reflect current user behavior. Existing approaches either necessitate time-consuming retraining or promote inflexibility in their updating, which is less efficient in maintaining current normal profiles. The main goal in this paper is to create an effective anomaly detection system that systematically models changes normal profile which can reflect and maintain the current unknown patterns without the outdated patterns. Consequently, identification of anomaly attempts can be effectively detected.3) This paper proposed a trust value calculated based on the static vulnerability and dynamic network traffic. The network administrator can choose and fix a time slot that is a few minutes to a few hours or days long, depending on how frequently the application needs.4) With the attack complexity, atomatication and scality, the traditional human response mechanism can not satisfy the practical needs. It shows that it's react slowly, response delay. It made the attack caused huge loses. The traditional response strategy cannot satify the needs of the large scale and high speed network. It becomes impossible that deal with the security depend on human. To solve this emergy problem, this paper proposes a trust based fast response frame, collebrating the anomaly detection system. When an attack is launched in a network, e.g., a worm outburst, it will adjust trust values of suspicious hosts before confirming that a host is compromised. (Once a host is confirmed as compromised after a detection delay, we will block its traffic immediately.) Correspondingly, based on the trust values, it can degrade the service for flows with down-graded trust values. The experiment results show the trust based will get a good performance.
|
PDF Full Text Request