Excavating Specific Patterns Of Intrusion By Means Of Data Mining And The Research Of Technologies Of Intrusion Detection System

With the development of the application of Internet, network security becomes more and more important. Intrusion detection systems that parallel the firewalls and encryption systems are prosperous. During the past several years, Intrusion detection systems that adopt technologies based on rules have been dominating in market. The advantage of those systems is fast and accurate. The disadvantage is that those systems have not the capability of detecting the intrusions of which specific patterns are unknown. So far, the rules are still compiled by security experts. Apparently, the efficiency of human couldn't cope with the continual emergence of new intrusions. Data mining, a kind of data process technology has capability of abstraction of valuable information from great mounts of network data. So security experts had better compile rules by means of data mining technology. The thesis consists of two topics. One is how to apply data mining technology to IDS .the other is about technologies that are adopted by intrusion detection engine. In first part, to begin with we analyze characteristics of network data packets. Secondly, we will exhibit several common data mining Algorithms. Thirdly, we will demonstrate the way of combining Apriori algorithm with CAEP classification algorithm to excavate specific patterns of intrusion. In my research, Apriori algorithm that used to solve association rule-mining problem is applied to obtain candidates of specific patterns of intrusion. Then, we will filter out suitable patterns by means of CAEP. Based on the patterns, security experts can compile rules of intrusion detection. In the second part, we will demonstrate technologies adopted by intrusion detection engine, such as the way of capturing network packets in Window systems of Microsoft, the way of defrag of IP fragments, the way of detection of port scan, and the way of building dynamic detection libraries. In this part, we also make a research on describing intrusion detection rules in XML, a kind of new Extensible Markup Language, and reading rules from XML files by means of MSXML4.0 libraries. In the end of this part, we will expose a framework of intrusion detection engine.