| Along with the computer network technology's unceasing development, the network is playing more and more important role in ours daily life and the work. Meanwhile, domestic and internationally occurs the hacker moves day by day frequently, the hacker attack war gets stronger and stronger, and increasingly the hiding, the virus, the worm and the Trojan horse on-line everywhere wreaks havoc。Day by day the serious network security problem very big inconveniencing which brings for people's work and the study and becomes the restriction networking development a big barrier. The traditional network security technology, such as the firewall, the security router, the status authentication system and so on, oneself cannot satisfy the network security completely the need. The network security says from its essence is in the network information security. From generalized, everything involves to the network in the information secrecy, the integrity, the usability, the authenticity and the controllability correlation technique and the theory is the network security research area.At this moment invaded the examination to take one kind of active defense the safety work to appear. His oneself becomes the network security technology important means that and becomes the current hot spot research area.In view of the current invasion examination system adaptability, the extension are bad, has the efficiency inferior characteristic, how studied emphatically the data mining technology application in the invasion examination as well as each kind of rule matching algorithm good and bad points and the efficiency question.This article elaborated that the primary coverage is as follows:(1) To invaded the examination system and the data mining concept has carried on the simple introduction: Described the invasion examination system's basic principle, the classification, the architecture; Explained the data mining technology's production and the definition, elaborated the commonly used data mining technology. Then to has carried on the data mining technology application in the invasion examination's feasibility and the necessity the analysis, has sought for many kinds of possible union ways and has carried on the comparison. Finally proposed one kind of invasion examination system's architecture. The operating system is day by day complex and network data current capacity sharp growth, has caused the audit data by the astonishing speed sharp increase, how the extraction to have the representative system feature mode in the magnanimous audit data, as well as makes a more precise description to the procedure and the user behavior, realizes the invasion examination key.(2) Has conducted the research to several kind of commonly used rule matching algorithm, introduced the respective thought that the good and bad points and the applicable scope simply. Regarding the rule match, the simple the method is the smooth match, namely starts from the 1st rule one by one to match until the success, this method takes the storage space to be small, the increase deletion rule is simple, but is too long regarding the large-scale regular storehouse query timeThis algorithm will plan with the most basic construction of data according to the priority arranged in order deposits to the regular storehouse. When a data packet arrives at the firewall, takes out in the data packet the useful field, carries on the source IP address and the regular storehouse's first field the match, when the match acts according to the field the form possibly is first exact either the prefix match or the scope match, if matches successfully, then carries on the goal IP address the match, if in five match projects has one not to match, then jumps to the next rule carries on the match, likewise matches this rule each match item;If the match is not successful, carries on the comparison according to the smooth and regular storehouse's each rule, matches until and some rule's five match item, finally returned matches the successful rule correspondence the processing movement then to propose one kind of new rule matching algorithm BSLT, has analyzed its time and the spatial order of complexity and the foundation algorithm.(3) Firewall technology elaboration. The firewall is refers to establishes implements between the net in the different network or the network during peaceful closed region the access control a series of part's combination. In the narrow sense, the firewall was refers to has installed the firewall software's main engine or the router system: On generalized, the firewall also includes the entire network the security policy and the security behavior. Through establishes the corresponding network security observation system in the net boundary to isolate the interior and the exterior network. Its function is prevents the correspondence without authorization to pass in and out the internal network which protects, strengthens the internal network through the boundary control the security policy. In logic, the firewall is the separator, the killer, the analyzer. In physics, various stands realize the way to be different, usually is the software and hardware's assembly.(4) A complete NIDS invasion examination system which designs to me has carried on the explanation. NIDS through the winpcap gathering network data, passes through in the protocol analysis extraction data the useful information, then carries on the conventional examination to it, if examines to exceptionally transfers to response output module processing, if the conventional examination discovery has not been unusual, stores the data the database. The data mining algorithm from the database the extraction data, carries on the excavation, and will unearth the result carries on the examination, if discovers unusually, similarly extension to response output module processing. The statistical analysis module may carry on the statistics to the database information, and gives each kind of statistical result feedback the managerThe NIDS system is (SPAN/PORT MONITOR) the function realizes to local area network's monitoring and data packet's capture through switchboard's port mirror image function. Through the port mirror image function, may map port A on another port B, soon flows through port A one to transmit to port B, according to this principle, will possess the port which is connected by the monitoring equipment to map the port which NIDS connects, or the port which connects the switchboard and the router maps the port which NIDS connects, then realizes to all flows through switchboard's network data package of monitoring. Showing including system's structure drawing, system each part of functions, the operating instructions and simple realizes the technology. Finally carried on to the system has tested and explained the data mining technology application on the invasion examination system's possibility.(5) What this article realizes is based on the network invasion examination system, system's response output module is the same with the majority similar system's response modules, for passive form response. The response output module is triggered has two ways, one kind is when the conventional examination discovers unusually, then the triggering response module carries on processing; Another kind is in the intelligent examination discovery network behavior unusuality, also triggers the response module.After the response module triggers, promptly the network unusual circumstance feedback for the system manager or the user, the system manager may act according to the response output examination unusual network connections, the source address and the destination address and so on, and finally option processin. |
PDF Full Text Request