| Most of NIDS (Network Intrusion Detection System) based on misuse mainly adopt pattern-matched technique and analyse rock-bottom protocols of TCP/IP about protocol analysis currently. But high layer protocols are not still analysed. It makes too much rules to be matched when packets are captured and leads to poor capability of NIDS. In order to improve the efficiency for detecting packets, provide the base for decreasing the false positive and false negative rate, improve the capability of NIDS,in this paper an idea about how to research and improve the intrusion detection technique based on protocol analysis is gived.Firstly, researching the apply conditions of diversified arithmetics of decision tree, the theory of information gain is used to class the files of protocol description. A protocol analysis tree is seted up to optimize the set of intrusion detection rules. Because it's reduced the area of rule matching, the matching time of detection attack is cut down obviously. At the same time, the implement of application layer protocol analyse reduced the false positive and false negative rate and improved the capability of NIDS.Secondly, TCP/IP protocol group, especially each application layer protocols are researched and the characteristics of intrusion description of lots of NIDS in China and other countries are analysed, a method used to describe the protocol's characteristics is designed and implemented. In this new method BNF syntax is used to define one or more files of protocol description for each protocol of TCP/IP. These files describe the characteristic of each protocol adequately.Finally, an improved IDS using decision tree to implement protocol analysis is realized based on the typical NIDS Snort. Then three tests are doneto compare the detection time with others research in the same environment. The results of tests show the efficiency of detection used the new method designed in this paper is improved obviously. |
PDF Full Text Request