| The rapid development of network is obvious to all people. But when network bring human beings large amount of information and fast and convenient communication, it also bring many unsafe factors to human beings, which always result in huge economic lose. Therefore, network security becomes more and more important.Protection measures of network security are various, which include Firewall technique, Anti-virus technique, System Vulnerability Analysis and so on. These measures are created in terms of many kinds of system flaws. Though these measures have effect on protecting system from intrusion attack, they also have some shortcomings. For example, Firewall technique only can protect attack from outside. Then dynamic protection concept emerges because of these shortcomings. Detection, Policy, Response and Protection consist of dynamic protection model. According to this model concept, people propose intrusion detection technique in order to realize dynamic protection of system, which will improve real-time performance.At present, intrusion detection technique is also at the stage of development and many aspects of it don't come to maturity. One of the most serious problems is as follows: high wrong alarm rate; a large amount of alarm data so that many great harmful attacks are hidden behind them; high requirement for supervisor. This problem has a great limitation on the development of IDS. This paper firstly makes a study on this problem and finds one of the reasons is the lack of effective analysis tool. Then this paper introduces Snort IDS and relative data analysis tools which are in use. Thirdly, this paper introduces the theory of data mining, and then proposes the design of a system of alarm data analysis, especially data analysis module and report module. Data analysis module uses partition analysis theory, which classifies alarm data by source ip address, destination ip address, attack type and attack timestamp and according to attack number of times. Report module outputs analyzed data in the form of report, which make data easily observed. Fourthly, this paper introduces how to realize this system. At last, this paper makes a test on the system and concludes on the result of test. |
PDF Full Text Request