Research Of Intrusion Detection Technology Combining Misuse Detection And Anomaly Detection

With the continuous development of Internet, network security has become increasingly prominent.IPv6 as the next version of Internet protocol, has the characteristics of large address space, greater mobility and security features,and will eventually replace IPv4 protocol.However, IPv6 can not completely solve the network security issues.Intrusion detection system as an effective network security tools can still play a vital role in the IPv6 environment .Consequently, the research of IPv6 network intrusion detection system is of great significance.Misuse detection and anomaly detection are the main two kinds of intrusion detection technology, each with advantages and disadvantages.Misuse detection have better detection rate with known attacks , but need to update signature database frequently, and can not find unknown attacks;Anomaly detection is able to discover unknown attacks, but the false positive and false negative is too high to put into practical application.To solve the above problems, this paper carried out the following studies:Base on the study of Misuse detection techniques, the Snort system based on the characteristics is analyzed.And on this basis, we achieved the Snort migration to IPv6 network environments,Including parsing IPv6 protocol, IPv6 fragment reorganization, IPv6 rules writing and IPsec handling .That enables the system can also work in the IPv4 and IPv6 networks.After studying the anomaly detection technique, an anomaly detection algorithm based on the Markov chain is achieved.Several modeling results of common protocols using Markov chain is given .These models are TCP overall model, FTP protocol model, HTTP protocol model, TELNET protocol model, DNS protocol model.On the basis of the above work, we design and implements a misuse detection and anomaly detection combining intrusion detection system.First we give the overall design of the system and modules design of the program, including packets catching modules, protocol analysis module, preprocessing module, anomaly detection module, the rule matching module and response modules.Finally, system testing and analysis is given. Tests showed that the system has good detection effect for known attacks and unknown protocol anomaly attacks.