| Intrusion detection is proposed as new defend mechanism of network in recent years. It has become one of the important technology of network security. Most of the network intrusion detection systems (IDS) adopt methods based on network or hosts to detect and defend attack. IDS base on network uses the data stream as the source, in such system the network adapter is used to watch and analyze the traffic.Anomaly detection is a very active filed in the research of IDS. The data grams on the network can be converged as the level of session-based, IP-based, network-based, come into being a set of values of features. Different subsets of this dataset can be used to describe variable attack behaviors. The values of these features is stable in common conditions, but when attack disappeared, they become sensitive and change obviously, so they can be recognized as the factors for distinguishing the existence of attacks. Analyzing the trend of the values'transformation to get the candidate properties of the attack and deleting redundant features improves efficiency of classifier and enhances real-time discernment of IDS. Classifier based on decision tree is a good means to determine whether there is an attack by monitoring network features. The DARPA datasets provided by MIT Lincoln labs are used to design some experiments on the foundation of multi-level aggregation system to test the classifier. The datasets are reverted to the real network environment. By classifying the result of features values converged, the result of experiment is collected to validate the exactness of multi-level aggregation and the accurate rate of the classifier. |
PDF Full Text Request