| With the fast development of Internet, computer network has played the more and more important role in the society, economy, culture and people's life. Under this circumstance, people are aware of the importance of network security. As a result, many network security technologies have been invented. Among all of them, intrusion detection technology has grown to be the core of network security infrastructure. However, in spite of a lot of expectations people have held, as this technology gradually become mature, the real functions it should cover and the future directions it will follows become clearer. First, the research of intrusion detection should focus on detection of unknown attacks; second, intrusion detection system should behave as a accumulation point of data produced by all kinds of network devices and network security devices, enhance the analytic ability, reduce redundancy data and discover relationship between data. But under current technology states, the first requirement somewhat contradict with the second requirement, for current methods of discovering data relationship are based on knowledge of the preconditions and outcomes of attacks, but current methods of detecting unknown attacks can not provide such information. This paper tries to alleviate such contradictions between the two requirements mentioned above, mainly include the following works: 1) The paper deeply analyze principles of several popular system call based anomaly detection algorithms, discuss the innate advantages and disadvantages of them due to their principles and compare their effects under different working condition. After serious analysis and compare, automaton based anomaly detection algorithm is considered to be effective in intrusion detection, so it is selected as the base of following improvements; 2) To solve the innate disadvantages of automation based anomaly detection algorithm, the paper proposes several ways that improve the detection rate and the ability of detecting DoS attacks, reduce the false positive and false negative rate; 3) According to the characteristics of attacks and past research on attack taxonomies, the paper first proposed an attack taxonomy that fits intrusion detection research. Then, based on detection results of improved automaton anomaly detection algorithm and principles of misuse detection, a further analytic process is proposed which can rank attacks through their importance and risks, make current methods of discovering data relations possible to be applied in the detection results of anomaly detection algorithms, and make the two main future directions of intrusion detection possible to cooperate with each other. The research in the paper has definite theoretic and practical value in the field of intrusion detection; it is a useful reference for designing the intrusion detection system. |
PDF Full Text Request