| Intrusion detection, as an essential component in the information security assurance framework, settles the issues in which traditional methods such as access control, identification authentication and firewall couldn't handle. However, current intrusion detection systems lack effectiveness, adaptability and extensibility, and especially, they become ineffective in the face of new kind of attacks. Aimed at these shortcomings, this thesis takes a data-centric view to IDS and builds an intrusion detection model by mining audit data.After introducing the basic knowledge about intrusion detection, this thesis presents a mixed intrusion detection scheme based on data mining. The framework and algorithms of the scheme which includes both anomaly detection and misuse detection are designed then. The scheme is able to detect known and unknown attacks only based on the features of the data without any manual rules.This thesis adopts association rules algorithm, frequent episodes algorithm and classification algorithm to analyze network audit data and establish intrusion detection model. In order to enable the pattern generated by association rules algorithm, frequent episodes algorithm to be more suitable for intrusion detection, this thesis uses key attributes and reference attributes to constrain the results, improving the mining effectiveness. Besides, we discuss about using clustering method to purify connection records and build accurate normal model. In classification algorithm, this thesis uses multi-decision tree combination method to replace single decision tree. Experiment on the intrusion detection data provided by DARPA has shown that multi-decision tree combination method detects intrusion with higher detection rate and lower false alarm rate than single decision tree method. |
PDF Full Text Request