| The constant increase of attacks against networks and their resources cause a necessity to protect these valuable assets. Intrusion detection system has come to our much attention as an important component of the defense system. There are many disadvantages in current IDS, such as false-negatives, false-positives, lack of more detection methods. Furthmore most misuse IDS cannot detect the unknown (zero-day) attacks. With the study of network attack category, we find the U2R (User-to-Root) and R2L (Remote-to-Local) attacks are different from the DoS and S/P in features, so they are not treated in the same manner.According to the problems described adove, we prensent a model of anomaly detection for specific network service. This scheme is based on the previous research of IDS in our laboratory. It is primaly used to detect the U2R and R2L attacks and moderately fetch up the shortcomings of misuse NIDS. This model takes the application payload into account. The type,length and payload distribution of the service request are analysed in statistics and n-gram methods. Based on the parse of protocols, Anomaly Intrusion Detection System for DNS is designed and implemented. During this period the setting of threshold and the update of model are discussed. Finally, as a plugin, the anomaly analysis engine is integrated into misuse NIDS. Through the test, it is proved that the Anomaly Intrusion Detection System for DNS presented by this paper can detect the U2R and R2L against DNS. |
PDF Full Text Request