| With the development of computer technology, the network architecture is complex day by day, and intrusion method diversifies more and more. The research of intrusion detection system mainly concentrated on the system construction and on the detection method during past several years. While obtaining the breakthrough unceasingly, some problems such as event storm, high rate of false positives and false negatives, and unclear context are exposed, which have seriously affected the performance of intrusion detection system. In order to solve the problems mentioned above, a correlated-analysis intrusion detection system is developed by combining correlated-analysis technology with intrusion detection system.Prerequisite-based correlated-analysis method is one of the important correlated-analysis methods, which can discover the logical steps among the attacks, and expose the attack strategy that hides behind the alerts. So a prerequisite-based correlated-analysis intrusion detection system is emphases in this paper. The main task is as follows:Firstly, one kind of false negatives correlated-detection algorithm is proposed. Considering the problem of false negatives in the existing correlated-analysis intrusion detection system, types, prerequisites and consequences of attacks are analyzed. And a correlation rule is defined which could detect effective the false negatives made by intrusion detection system.Secondly, one kind of attack prediction algorithm is proposed. Through the processing of mergence, correlation and classification to alert information, prerequisite-based relation and succession relation of attacks are applied in the algorithm to predict attacks. It will present the intrusion intention and intrusion tendency which can help to prevent attack occurring.Thirdly, the correlated-analysis intrusion detection system which can predict attacks is designed. Considering the problem that the whole attacks'succession will not be detected when one fails to report, we improve on the former system, and adds false negatives correlated-detection model and attack prediction model. So the problem mentioned above is avoided in the improved system.Finally, the system model is carried out in C language as the application of the research. Attacking experiment is made by simulating intrusion incidents. Through summarizing various factors'capabilities and anglicizing the shortage in the system, we provide the development direction and precious experience for the further research. |
PDF Full Text Request