| With the development of computer networks, more attentions have been paid on the security problems and attentions are continually updating. The attacks for computer and network have increased gradually, whose means have become more and more complicated and concealed. As an active security defense technique, intrusion detection offers real-time protect, as it can hold up a respond intrusion before the network is endangered. Intrusion detection technology has become a hot researching point in recent years.High-speed network environment increased with the growth of network bandwidth, processing speed of current network security equipment has became the major performance bottleneck, if the intrusion detection system could not keep up with the data transmission speed in network, then some data will be lose and affect the accuracy and effectiveness. In the high-speed and large-scale network environment, data trend to storage distributed and how to detect intrusion efficiently becomes a major problem.Traditional intrusion detection technology place numbers of sensors to collect network status information then sent it to a central console to analyze, this architecture unsuitable for the environments nowadays. Distributed intrusion detection system can resolve this problem in a way, it work as distribute collection and work together, finally achieve the purpose of detecting distributed attacks. DIDS put numbers of independent IDS modules in network nodes, sub-nodes study first, when it's necessary transmit the results to a central console to fusion study, which can update the sub-nodes knowledge and get the overall model of network.Distributed intrusion detection system has the following advantages: information of sub-nodes become integration and interaction that can detect a wide range attacks; using different detection algorithms to detect different data can improve detection accuracy; independent on the central computing and storage resources that improve the detection efficiency.Intrusion detection techniques can be classified into two categories: misuse detection and anomaly detection. Misuse detection looks for signatures of known attacks, then use patterns of known attacks or weak spots of the system to match and identify known intrusions. Anomaly detection models a user's behaviors, and any significant deviation from the normal behaviors is considered the result of an attack. Statistical analysis method is commonly used in anomaly detection, according to the attributes of statistics, compared with the current behavior using pattern matching method, when the values outside the normal range there is an attack. Neural network can deal with the randomness of raw data and use incomplete input information to study adaptively, use the degree of deviation from the neural network to detect attacks.The research content of this paper is distributed intrusion detection system. Analysis distributed data only once and integrate the results of sub-nodes to get the whole detected model. According to different storage of data, algorithms of set up normal behavior model are presented respectively.The work that has been done in this paper is as following:1) It introduces intrusion detection theory, including the principle and classification and analysis technique of intrusion detection.2) It introduces the proposal of distributed intrusion detection system and discusses the basic knowledge used in this paper, including principal component analysis, clustering, decision tree and self-organizing map. Studying relationship of distributed storage data then propose detection algorithms and the flow of establishing normal behavior model.3) According to the horizontal partition of database, a method based on fusion PCA is presented. In this situation sub-nodes keep a sample's information integrally, the attributes stored on sub-nodes are same. First, sub-nodes cluster paralleled then transmit the clustering center to a center node, this can reducing the traffic of data between nodes. Second, use the cluster center to achieve principal component analysis, then principal component will be converted property as a sort of normal behavior patterns. Finally, normal behavior model which build by decision tree has been stored in sub-nodes. Clustering is as transverse compress the data samples and principal component analysis is as longitudinal compress the data samples, both of these can remove isolated points and reflect the whole characteristics of normal data, decision tree algorithm can effectively detect the matching process.4) According to the vertical partition of database, a method of growth part SOM is presented. In this situation sub-nodes keep a sample's part information, the numbers of samples stored on sub-nodes are same. First, sub-nodes use PSOM to cluster data samples, the PSOM is growth, in studying determine the samples whether or not can be correct classification, when achieve the conditions choose a sample to become a new cluster, after the end of the growth process using the pruning algorithm to remove"dead neurons". Second, transmit the PSOM weight matrixes to a center node and the distributed SOM model established by the conversion matrixes of isolated points can embody the characteristics of the whole data. Finally, the overall model has been stored in sub-nodes distributed. SOM can automatically cluster input samples and show the result in the competition layer by self-organizing study. The SOM network which added growth and pruning process can reflect the characteristics in the sub-nodes better. Connecting the matrix of sub-nodes is equal to the overall model.5) Finally, through experiment on intrusion detection data set KDD CUP1999, it illuminates the performance and effectiveness of the algorithms. The results show that our distributed algorithm can achieve the overall test results, comparing with single anomaly detection algorithm can balance the false positive and detection rate batter. It also analyzes the impact of various parameters to the algorithms'performance through experiment. |
PDF Full Text Request