Feature-based Intrusion Detection System

With the spread of the Internet and network technology development, network has penetrated into every aspect of the society and people life, and it has brought much convenience. However, with the popularity of the Internet and network technology, network intrusion technology has been very popular, security issues has been more and more serious. In order to ensure the Internet safe, stdble and efficient to operation, to solve all kinds of network security, rely solely on the traditional firewall technology has become increasingly unable to meet demand, so intrusion detection technology born. Intrusion detection namely according to certain rules, capture, analysisi, and judgment the system behavior or network data, then determine whether the current system was invaded. According to the different protect object, intrusion detection can be divided into host-based intrusion detection systems and network-based detection system. Host-based intrusion detection system monitor the network data and behavior of the protected host, such as host received packets, host system log, the audit log and so on, according to the related rules of judgment to determine whether the host was invaded. Network -based intrusion detection system capture and analysis the network data of the protected system, according to the related rules of judgment, such as packet features, data flow characteristics and so on, to determine whether the current network was invaded. Intrusion detection system can identify and response to the threat of computer resources behavior. As a kind of active network safe protection measures, it can have a good effect in the early mid-and late intrusion activities.In this issume, firstly, a review about network intrusion detection research was decribed, and analysised the disadvantages of the mainly network intrusion detection systems, and then predicted the trends. The process of our system was given after the concept and general architecture of network intrusion detection systems summaried.An intrusion detection system was designed and implemented. The system integrated with rule-matching intrusion detection subsystem, malicious network behavior analysis subsystem and collaborative analysis subsystem, using application layer group packages and analysis, rookit filtering and other testing and driving, the technology to achieve the characteristics, behavior and semantics associated with a variety of modes such as the detection method, the use of interchange mechanism of network security events in a comprehensive analysis of malicious judge.Rule-based intrusion detection subsystem bases on monitoring the package features and characteristics of network traffic flow, and submit the test results, such as suspicious links, to drive the interactive system. Malicious network behavior analysis subsystem browse web pages, and analyze the resulting in-depth analysis of various operations which is due to visit the website produced to capture the host of operations such as modifying the registry, files, etc., and given the threat of acts of threats index. Collaborative analysis of each subsystem will summarize and analyze the results, and based on the results of evaluation criteria based on the weight given the final decision. Through analysis of the subsystems and network topologies, positioning the affected host within the network, tracking the source of malicious network behavior.The experimental results show that the system can improve the judgment ability of the network security incident, and decrease false positives and fail rate. The system can not only detect aggression, but also track the influence of the network security incident to host and the spread of the network attacks.