| Problems of computer security become more remarkable and complex along with the rapid development of computer and Internet technologies. Because intrusion detection plays an important role in network security, researches on intrusion detection techniques are of great importance now. But existing technology of intrusion detection has many disadvantages. One of which is that it can't effectively deal with huge data produced in host and network environment.Based on the knowledge discovery in database, this thesis introduces briefly advantages of applying data mining technology to domain of intrusion detection. The packet data captured by TCPDUMP program in simulated attack environment have been selected as the training and the test dataset, which was used for constructing classification models. The processing methods and the procedures of dataset are explained in detail. Firstly, the original dataset was partitioned into TCP segments and UDP datagrams according to TCP and UDP protocols onthe transport layer. Then the TCP segments were divided further into several parts according to the types of destination service. Subsequently, searching for these segments that belong to single TCP connection according to the matching of four-tuple in those parts separately, these segments were combined into a TCP segment block. Finally, the basic feature attributes of network connections could be extracted from these blocks to form network connection records, which can be directly used for constructing anomaly detection models by classification algorithms. For all kinds of problems encountered in practice, we also put forward the methods of solution at the same time.In the fourth section of the thesis, the method that constructing statistical features based-on time for connection records and using these features to construct classification models were studied in detail. In order to improve the accuracy of classification model and decrease the rate of false positive, some factors that may have bad influence on accuracy of classification model were analyzed and the method of selecting appropriate set of features was also provided. During the period of studying, many trials were attempted and a set of features that is relatively ideal for the trial dataset was found at last. The results of trial indicate classification models constructed by this set of features can find an obvious threshold to distinguish between a normal network activity and an abnormal one. So the anomaly classification model offered in this thesis has better performance of detection.
|
PDF Full Text Request