Study On The Method For Intrusion Detection Based On Distributed Firewall Log

A methodology of combining misuse detection and anomaly detection, which is based on the log system of the distributed firewall and intrusion detection technology, is presented in this paper to analyze the intrusion for the log system in distributed firewall. Based on the data mining theory and technology, we study on the intrusion detection for the distributed firewall and use the experiment to validate the correctness and validity. The experiment result and analysis indicate that higher detection ratio and lower distortion ratio are attained to detect the intrusion by the way proposed, and it can be used in real distributed firewall.The traditional intrusion detection methodology of only using the misuse detection or anomaly detection has its own limitation and will cause the leak problem. After analysis the merit and defect of the misuse detection and anomaly detection, a methodology of combining the two is proposed, with the data mining technology.This paper is based on the research of distributed firewall log system. Firstly, the main design of the distributed firewall is introduced, which discusses the goal and the characteristic for the distributed firewall log. Then, the methodology for the intrusion detection of the distributed firewall log is proposed, in which the design of the log, intrusion detection and data mining is put forward. This paper mainly focuses on data mining for intrusion detection. The feasibility and necessary of data mining for intrusion detection is introduced firstly. Algorithm and experiment of intrusion detection based on data mining has been given in the following. In the last part, we review the former work and describe the future work.The major work in this paper is in the follow two facts. One is that a methodology of combining misuse detection and anomaly detection is proposed to detect the intrusion. Another is that using the k-means cluster analysis algorithm in data mining technology to build the normal and abnormal action libraries and using the FP-growth association rules algorithm and the Prefixspan sequence pattern algorithm to set up the normal character library.