Research On Snort Intrusion Detection System Based On Data Mining

Intrusion detection is one of the main research directions in network security. However, most of the practical intrusion detection systems usually identify attacks by matching known attacks database. These pattern match-based methods have high detection performance when detecting known attacks, but they don't work well when detecting unknown attacks or the variations of some known attacks.This paper includes three parts. Firstly, it introduces intrusion detection and data mining techniques, then analyzes Snort NIDS in depth, especially its modules and plug-ins, which provides theory foundation for a new Snort NIDS. Secondly, it analyzes Apriori algorithm and K-Means algorithm, then it makes some changes in the two algorithms based on the analysis and the new system requirements. Thirdly, it builds a new Snort NIDS based on data mining, which puts improved Apriori algorithm and K-Means algorithm into Snort plug-ins. Clustering analysis module plug-in and pre-detection engine plug-in are based on improved K-Means algorithm, and feature attaining module plug-in is based on improved Apriori algorithm. Experimental results show the new system not only improved the detection efficiency, but also improved the detection ability of unknown attacks.