| With the explosive development of the Internet and its application, the behaviours towards Internet become more and more popular. Most of current Intrusion Detection Systems for these attacks adopts the method of string match to find relevant strings, if marched then output alerts. These rules of string match establishs easily and detects fast, it can detect most of port scans and penetrations efficiently. With the complexity of methods of attacks, the pattern of string match by degree demonstrates shortcomings: it only match the content of packets and can't detect many distorted attacks, this will cause the first missing alerts; the engine only decodes the content of IP/TCP/UDP/ICMP and match attack, it has no another process of match,or accumulated and logic match, so it can't detect distributed denial of service, prone to be fooled and cause the second missing alerts.Aiming to resolve these problems, Cooperative Intrusion Detection presents a technology of network log analysis to detect these intrusions, network log analysis establishs on the layer of IP, its goal is to find the association relationship of features of an access record or between access records. If item sets of access records satisfy a certain support ratio and confidence ratio, then we can regard that some attacks have occurred. Owing to adopting logic match and independent of appointed string, therefore this method can improve detection rate towards distorting attacks and distributed denial of service.The architecture of parallel analysing network log is proposed in this thesis, the architecture can transmit packets of gateway to inside computing nodes by portmapping, this measure can improve the speed of anlysis thereby reduce delay of response. this thesis make a research on the association analysis algorithm according to the feature of network log and make some improvements on this algorithm. the improved association algorithm easily analyse the feature of network log, it consider the influence of confidence and support comprehensively. The number of association rules has an immediate influence on the detection rate.This system is implemented by c and c++ language and tested through attack test. Test tools include six Finger attack tools and six DDoS attack tools, after test, the result is furtherly studied by the influence of support and confidence. The tested results confirm that by network log analysing we can improve the detection rate of Finger attack and DDoS obviously. Support has much influence on the Finger attack while Confidence has much influence on the DDos attack.
|
PDF Full Text Request