Distributed Network Intrusion Detection System Based On Data Mining Technology

With the fast development of computer and network technology, the network has became an important part of our daily life. The network has provided us with many advantages and convenience, but at the same time, it also has many problems, for example, the security of network. At present, under the existing operation system and various application software environments, some security products such as the firewall, identity authentication, encryption, protection against virus and VPN, etc. can't resist the attack of hackers well. Therefore, intrusion detection system (IDS) technology emerges as the times require.In this paper, the causes failing to alarm of intrusion detection system are analyzed according to the current status of IDS. By studying the existing approaches, this paper summarizes some technical ways to reduce failing alarms; after analyzing the feasibility of combing the data mining technology with the IDS, a distributed network intrusion detection system based on data mining technology (DM-DSNIDS) has been designed in this paper; Because of the modularized design, such a system has better maintainability and expansibility. The operation principle of each module has been explained in detail. The original Snort intrusion detection system was based on single data pack inspection, however, because of network mass information, more and more attack packages use data dividing means to evade the detection of Snort. Herein, the author introduces data mining technology into the key detection part of this system, and presents "second detection module", as well as a detection way based on the data mining technology, so as to provide a sound theory foundation for future research.In addition, several modules of this system have been implemented in this paper, which includes the design of system client and management platform, as well as their communication and data pretreatment, etc. At the end of this paper, a simple functional test for some modules of this system is implemented by applying two kinds of particular attack. Adding more detection rules allows the system to detect more kinds of attack.