Study On Intrusion Detection Technology Based On Hidden Semi-Markov Model

Intrusion detection, a technology in network and information security, is used to detect intrusion behaviors in computer network systems. According to the development trend and application necessity of the intrusion detection technology, two typical detection methods are studied in this dissertation. One is the misuse detection method based on network data packets while the other is the anomaly detection way using audit data.At first, the standard structure and function of the intrusion detection systems (IDS) is given followed with the data source and its production mechanism. The current detection methods are analysed and concluded subsequently.Because the real system cannot satisfy the Markov condition, and the model and detection algorithms which are established based on them are not accurate, a misuse detection method of network security based on Hidden Markov Model is presented. The intrusion type is simulated through HMM model.The problem of identifying which intrusion type the to-be-detected behavoir belongs to is finally converted to the one of pattern matching.Then detection and classification of the known intrusion types are accomplished.The U2R and R2L attacks are secret and of great damage. HMM model cannot describe state lasting with its great training complexity and it also cannot simulate the regular transition of the audit data accurately. Aim at above problems a host-oriented intrusion anomaly detection system based on HsMM is preposed.The system refers to U2R and R2L attacks.It can improve detection performance while decrease the false positive error and false negative error greatly.And the training time is not much longer than before.Finally, intrusion prediction is studied.Re-define the HsMM structure to describe the intrusion detection. The state lasting time is computed by contributing the risk factor of every system call.Then the output probability of current system call sequences are calculated to decide whether the current system behavior is normal and compute the anomaly probability of the subsequent system calls.And the process which is very dangerous can be detected in advance and the approximate time when the intrusion has established is estimated.So we can find the attack attempt in advance to gain the precious time of the active intrusion precaution.