| With the evolution of the technology of information, especially the prevalence of the technology of Internet/Intranet. Security of more and more organization and individual's computer system establishment and information resource was threatened. Therefore, the security of information is become the one of the most important task in the domain of the technology of information. Traditional model of intrusion detection is been established unefficient and the cost of research is so much. The technology of data mining takes on particular predominance in the domain of unexpected knowledge acquiring. Thereby Data Mining-based Intrusion Detection is become prevalent. In essence, Network security is just network information security. In general, all technologies and theories about secrecy, integrality, usability, reality and controllable of network information are the research domain of network security. Intrusion is a action that try to destroy that secrecy, integrality and usability of network information, which is unlicensed and exceed authority. Intrusion Detection is positively technology of security defend, which gets and analyses data source of computer system and network from some network point, and to discover whether there is the action of disobeying security strategy and whether been assaulted. Intrusion Detection System is the combination of software and hardware of Intrusion Detection System.In recent years, Data Mining advanced rapidly, and combined many subject domain. This paper introduced a Network Intrusion Detection System in Real Time (NTIDS-RT) that based on Data Mining. It adopts an FP-tree structure and FP-growth mining method based on FP-tree without candidate generation, which optimized from Apriori algorithm. FP-growth is just adapt to the system of real time and updating data frequently like NTIDS-RT. Apriori is a basal algorithm of generating frequent patterns. Apriori employs an iterative approach known as a level-wise search, where k-itemsets are used to explore (k+1)-itemsets. Apriori is an influential algorithm for mining frequent itemsets for Boolean association rules. Many association mining algorithm evolves from it. In many application cases the Apriori behave not as good as expect(i.e.,need to repeatedly scan the itemsets, unefficient, using abundant resource of CPU ). FP-growth is optimized algorithm from Apriori. FP-growth adopts a divide-and-conquer strategy which compress the database representing frequent inems into a frequent-pattern tree(FP-tree), and proceed mining of the FP-tree. The method is highly compressed and frequent itemsets generation is integrated and don't need to repeatedly scan the itemsets. Therefore NTIDS-RT adopts FP-growth, and the conclusion is whether resource using or efficiency are advanced.NTIDS-RT adopts a detection mode of real time and based network. The system is composed of several divided-module namely data collection module, thread control module, patterns generation module, detection module and intercommunion module between people and computer. About data collection, adopted Sniffer theory which program using socket. After captured dataset must been pretreated and cleaned(i.e., adds a sign after dataitems, as 'sIP' 'dIP' 'sPt' 'dPt' 'po' ); Thread control module mainly dominates patterns generation module to generate frequent itemsets according as Time Window and status of data collection. How to dominate patterns generation module, the module adopt concept of Time Window. Datasets are overlap of two time window conjointly, and the size of those datasets overlap just is the Time Window's size. How to control the size of Time Window is important. When choosing the size of Time Window, should take into account the computer and network hardware system and the sort of detection; Patterns generation module adopts technology of data mining. The core of patterns generation method is just FP-growth. It is compose of two parts: the one is FP-tree constructing, the other one is data mining of FP-growth. Before constructing FP-tree,...
|
PDF Full Text Request