| With the increasing complexity and diversification of network attacks, solely relying on static defensive systems such as firewalls are hardly adequate to safeguard computer systems. As a proactive security technology, IDS (Intrusion Detection System) is capable of compensating traditional security defense systems'shortcomings. Challenged by ever-increasing network traffic and attacking methods, however, a number of disadvantages manifest themselves in the realm of traditional IDS such as inability to detect new forms of attacks. This paper attempts to explore IDS DM (Data Mining) technology, which has become a research focus in recent years. DM helps IDS discover hidden invasion traces from collected computer and network records and recognize invasion patterns, thus result in considerably reduced manual workload yet increased detection rate.Major work is summarized as follows:1. The classification of recent IDS models, the development of IDS, the current problems IDS is facing, and a brief introduction to DM.2. Detection of out-of-ordinary system call sequence. A Markov model of system call sequence for intrusion detection is built. Targeted for the real-time responsiveness of abnormality detection, an effective computing model is built to determine the magnitude of the abnormality based on a long system call sequence. Experiments are conducted to compare the detection ability of one-step and multi-step Markov chain model.3. An innovative QNI detection algorithm based on cluster is proposed to deal with mixed data set. The principle and methodology of classifying normal and abnormal mode is given as well. Tests show that the performance of the algorithm is acceptable. Also a detailed analysis is provided on applying cluster algorithms to IDS.4. Finally, CR, a comprehensive detection model is proposed. CR combines the analysis of system call sequence and network data packet, and is expected to greatly enhance the accuracy of intrusion detection. |
PDF Full Text Request