Research And Realization Of An Intrusion Detection System Based On Application-level Protocol

With the rapid development of computer and network, when more and more companies and users surf Internet, more and more people have focused network security. IDS (Intrusion Detection System) are a new type of safety protection technology after traditional security protection method such as firewall, data crypt, etc. and are widely employed. Because of constant expansion of network scale and more complex application of network, intrusion detection is more challenging to increase running speed and improve checking result. The traditional network intrusion detection system only detect intrusions according to the packet features below the transport layer, several problems exist such as easy to be evaded, high false positive and low efficiency. Current research indicates that the distributed technology can afford greater detection. In this case, the model which this paper preset is just an intrusion detection subsystem for the application level protocol in distributed architecture.In order to address the issue related to intrusion detection based on the application- level protocol, this paper proposes a rule building aid system based on sequential mining and a new framework of sequential detection model (SIDS). The aid system applied an effective mining-based algorithm, PrefixSpan, to retrieve frequent sequential pattern and can assist security expert encode sequential rule efficiently. The detection model combines advantage of Snort and STAT. Its analyzer of application-level protocol preprocesses network passage on the semantic and form side to produce network event. To decrease false positive, SIDS takes as input some datagram, system status, and user information and determines. Several methods are applied on the model to increase effectively the detection speed, e.g. a) to delete the checking rule set by privilege mechanism; b) to focus the rule of sequence through 3-level index; c) to execute only once checking subroutines, etc.Finally, two experiments will be done for evaluating it based on testing data that Lincoln Lab of MIT provided. The result shows these approaches can greatly improve the detecting performance of SIDS.