Network Intrusion Detection System Based On Sequential Patterns

With the evolution of information technology, especially the prevalenceof the technology of Internet/Intranet, Security of more and moreorganization's and individual's computer system equipment and informationresources is threatened. Therefore, the security of information is become theone of the most important task in the domain of the information technology.It is inefficient in the procedure of building the traditional model of intrusiondetection. And the cost of research is so high. The technology of data miningtakes on particular predominance in acquiring unexpected knowledge.Thereby Intrusion Detection based on Data Mining is become prevalent. Inessence, Network security is just network information security. Intrusion isan action that tries to destroy that secrecy, integrality and usability of networkinformation, which is unlicensed and exceed authority. Intrusion Detection ispositively security technology, which gets and analyses data source ofcomputer system and network from some network point, and to discoverwhether there is the action of disobeying security strategy and attacks happen.The combination of software and hardware used to detect intrusion isIntrusion Detection System.Increasingly complexity of operation system and flow of network dataresult in the rapid increase of audit data. The key to implement intrusiondetection is to extract the typical mode of system characters and make moreprecise description of program and user's actions. The data miningtechnology is to mining potential, unknown and useful information fromquantities of datum, and to extract interested knowledge and regulation.Generally the extract knowledge is indicated by concept, regulation, rules andpatterns, thereby, data mining technology, the new technology of data base,could be applied to intrusion detection system.Paper gives a simple introduction to the generation and definition of datamining technology, then introduces the typical data mining technology. Inchapter 4, paper discusses the general steps of data mining, gives a detailedintroduction to the format of data source in data mining, and gives anemphasis to the ApioriAll algorithm and GSP algorithm in data mining basedon sequential patterns. Paper describes the algorithms detailed, and analyzesthe performance of them. At last, in combination with the NIDS implemented,paper introduces axis attributes and interest measure to improve the GSPalgorithm. For the axis attributes introduced, the attributes of networkconnection data could be divided into axis attributes and assistant attributes.By axis attributes the algorithm could decrease the length of sequentialpatterns to compute the maximal sequences and generate regulation. Also itcould decrease the complexity and increase the precision of the regulationsgenerated. With interest measure introduced into NIDS, the system couldassure that the regulations are applicable. Therefore, it could avoid the burnof the system as a result of quantities of insignificant regulation generated,reduce regulation, could decrease the distorted rate of system, and improvethe performance of the system.Paper describes a structure model of NIDS, gives a detailed introductionto the functions of each mode and the work flow of the system. Also how themode implemented is introduced. The system is composed of data capturemode, protocol decode mode, general detect mode, data mining mode,intelligent detect mode, statistic and analysis mode, respond mode, data baseand regulations base. In data capture mode, network adapter is set inmiscellaneous mode by winpcap to capture network data in data link layer viaswitches. In protocol decode mode, important information in packet headersis extracted to form the network link data. The network link data would besend to general detect mode. The general detect mode could detect somesimple attacks by matching static regulations in regulation base. The systemcould detect some well-known attack by detecting some important port ofdevice. There are two kinds of network data, sample data and network datareal-time captured. Before the system runs, intelligent detect mode readssample data from database, mines the data, derives regulations, and writes theregulations into regulation base. The system administrator could decide whento mine the data, and the start time and end time have to be chosen. After that,the data mining mode reads data responding to the start time and end time,and applies the optimized GSP algorithm to the data. The regulationsgenerated from real-time data will be matched with the regulations generatedfrom sample data to detect the anomaly. If there is anomaly, the respondmode would notice user or system administrator. The statistic and analysismode could statistic and analyze the data in database. Protocols, services,network link, ip address and network flow would be analyzed.The system and algorithm have been tested in experiment environment,and it is proved that the optimized algorithm could effectively reduce theregulations, increase the practicability of the regulations and decrease thesystem overhead and distorted rate.