| IDS (Intrusion Detection System) is a type of positive safety system. It integrates many theories and methods. The research of intrusion detection system has important theory and application significance。Intrusion detection system can be classified as network-based intrusion detection system and host-based intrusion detection system by its data source. This thesis makes researches on network intrusion detection system.Problems in existent intrusion detection systems:Because of increasing and fast changing intrusion methods,traditional misuse detection methods have difficulty to detect these intrusion, anomaly detection methods sometimes have high false positive rate. At the same time, because of the network bandwidth is growing up to 1000M,existent network intrusion detection systems(for example, Snort)running on x86 platform lost mass packages just in 100M network, and even if running on high speed platform as NP(Network Processor), it's hardly for them to completely endure the load of intrusion detection in 1000M network.After perform abroad and thorough researches on existent intrusion detection theories, methods, system architectures and examples, this thesis improve and integrate the methods of protocol analysis, pattern matching, artificial immune, to design an Intelligent Network Intrusion Detection System based on Snort2,and make some innovations in the 3 key modules:In the improved protocol analysis preprocessor module: Thesis introduces an improved IP fragment reforming algorithm, an improved TCP stream reforming algorithm and an improved application layer protocol analysis ,and integrates the niching genetic algorithm and C4.5 decision tree to optimize the protocol analysis preprocessor.In the improved pattern matching detection engine: Thesis improves the pattern matching algorithms and changes them into dynamic algorithms. And, based on the patterns' length, look upon their matching time as their path length, introduce the niching genetic algorithm into randomization Dijkstra shortcut algorithm,to perform the optimizational partition of patterns set, and select the corresponding optimizational pattern matching algorithm,so that to design an Intelligent integrative dynamic pattern matching algorithm.In the improved artificial immune detection engine: Thesis adopts the phenotype/genotype chromosome coding mechanism based on the fuzzy logic,then introduces the heuristic variation deterministic crowding niching genetic algorithm to optimize the basic immune algorithm for reducing the computational complexity . It can reduce the detectors number as well as enhance the detection ability, and obviously reduces the time required in detectors generation process.Unit test proved that the performance of the algorithms in the module of this Intelligent Network Intrusion Detection System has been enhanced.System test proved that the ROC curve and load capability of this system is better than Snort2. And it has the anomaly detection ability, can detect unknown intrusion and can perform self-adapting study. Contrastingly, Snort2 doesn't have the anomaly detection ability as a simplex misuse detection system.If running on x86 platforms, this system has a 15% lower packages lost rate than Snort2 at most in the intrusion detection of 100M network, while they just doing the same pattern matching work. If running on high-speed platform as NP, because that the integrative matching algorithms and artificial immune algorithm in this system have better parallel computing ability than the simplex matching algorithm in Snort2, this system can adapt better to the micro engines'parallel processing. Further more, because of the immune diversity mechanism of the immune detectors; the artificial immune algorithm in this system has good distributed performance. So, the Intelligent Network Intrusion Detection System in this thesis will do more better in the future 1000M distributed network intrusion detection then the recent snort2.x running on NP, too. |
PDF Full Text Request