The Key Technology Research Of Intrusion Prevention With Immune Response Function

With the development of information technology, network applications continues toincrease and the threats of computer network security are growing day by day. In recentyears, intrusion detection has become a focus of research as a network securitytechnology. As means of attack becomes increasingly sophisticated, intrusion detectiontechniques have become increasingly demanding. Especially the traditional intrusiondetection systems have not solved the current network security issues such as thedistributed attack. At the same time, the response measure of the intrusion detectionsystem is just sending alarm to manager and can not make response in time. For all above,the distributed prevention and the automated response technique are combined here,author chooses the relation key problems in prevention mechanism as research object,makes embedded theoretical research and experimental analysis, and has achieved newfruit.There is not an effective prevention and response mechanism to treat distributedintrusion attacks, distributed intrusion prevention system is designed in this thesis. Thesystem has two special modules, alarm pretreatment module and response treatmentmodule. The alarm pretreatment module is the alarm information fusion system based onattribute fusion in decision level. The alarms are fused by fuzzy comprehensiveevaluation method and immune evolution algorithm. The number of alarm is reduced andthe effective alarm threads are got. The response treatment module is the decision modelbased on risk assessment and it combies the response time decision and the responsemeasure decision to overcome the problem that the response is premature or hysteresis.The traditional intrusion detection systems have a shortcoming, that weak detectionof unknown attacks, the immune prevention system based on intrusion tolerant has beendesigned. The innate immune and dangerous theory are used in this prevention systemand combine this two theories to treat the unknown attacks. The fault tolerance anddamage isolation technologies in intrusion tolerance theory are used as the innateimmune response’s methods and the responser can use these methods to response when the value of danger signal is beyond threshold. The malicious transaction are isolatedbased on the trust picture and the resource of the system can recovered based on thedynamic semi-active replication strategy.In order to overcome the defect that the intrusion detection system based onanomaly lack an effective training sets, data classification method based on network datain real condition is bring forward. The PSO-FCM clustering algorithm is used to clusterthe real nertwork data. At the same time, the number of cluster is adjusted by usingimmune evolution algorithm. The problem that the number of cluster need to beidentified is overcome. After the network are clustered, the signals “normal” and “attack”are labeled for these clusters by lable algorithm based on abnormal factor. Then thenormal packages and the abnormal are got for this network and these packages can beused as the training sets for normal template.In order to simulate the distributed intrusion attacks accurately and use these to testthe intrusion prevention system, the intrusion attack module and intrusion preventionsystem model are established based on OPNET Modeler. The intrusion prevention systemis tested by using UDP Flood attack module.