Research On Network Intrusion System Based On Rough Set Theory

How to improve the real-time and how to improve adaptability are two research topics in network intrusion detection systems. To solve these problems, some scholars have proposed to build lightweight intrusion detection system by feature selection; and others assert that network intrusion detection systems should update their own rules in time. Reduction under rough set theory could greatly reduce the length of a rule, which contributes to build lightweight intrusion detection system. To improve the adaptability of network intrusion detection systems, this thesis mainly researches on how to implement the rules update in network intrusion detection systems under rough set theory.In the rough set theory, rules are represented by decision table. Because decision table does not support rules update in network intrusion detection systems, this thesis represents rules with hierarchies of rough decision tables for the first time and applies the incremental learning algorithm to implement the update of rules. Both construction algorithms of hierarchies of rough decision tables and incremental learning algorithm were proposed by Ziarko, but they do not adapt to network intrusion detection. Construction algorithms of hierarchies of rough decision tables might bring more hierarchies, which will slow the speed of network intrusion detection systems. Incremental learning algorithm does not support the expansion of the hierarchies and the constant hierarchies of rules represented by hierarchies of rough decision tables will shorten the life of rules. To solve these two issues, this thesis applies reduction to construction algorithms of hierarchies of rough decision tables to limit the hierarchies, and construction algorithms of hierarchies of rough decision tables to incremental learning algorithm to expand the hierarchies. And then this thesis designs and implements an experiment for rules update, which shows that updating rules by using incremental learning algorithm is effective with lower false positive rate, false negative rate and higher detection rate for network intrusion attacks. In the end, this thesis designs and implements a network intrusion detection system, including four modules: data collection engine, event engine, analytic engine and response module. And then conducts a test for detecting DOS and Probing attacks in a virtual network environment, the result shows that the system can detect attacks in some measure.