Based On Network Packet Anomaly Detection System Design And Implementation,

Intrusion detection is an active defencing technology, which plays an important role in the muti-level network security architecture. By the detecting technique utilized, intrusion detection systems can be classified as misuse detection systems and anomaly detection systems; according to the source of data, intrusion detection systems can be grouped into host-based and network-based systems. Network-based anomaly dectection systems have advantages such as early detecting and novel attack detecting. And the ability of detecting novel attacks is essential to ensuring a truly secure system.Describing normal behaviors is one of the difficulties that an anomaly detection system faces. Some researchers have put forward or implemented various approaches, including those based on statistics, on pattern predicting and on neural networks. Some of these approaches are still under research. This paper presents an in-depth study of building normal behavior models. Problems such as attributes selecting, event modeling and association analyzing are discussed. Traditional statistics-based approach utilizes a stationary model, in which anomaly value is calculated according to events frequencies in history. In this paper, the anomaly value of novel events is calculated according to a non-stationary model, in which the anomaly value depends on the last occurrence of novel events. On the other hand, a set of IF-THEN conditional rules is induced to examine the relationships among attributes values. The non-stationary model also applies to the association analysis, which means the anomaly value of an attribute assumes a novel value under certain conditions depends on the last occurrence of novel value of the same attribute under same conditions. By individual examination and association examination, the accuracy of nomal behavior model is improved. Following these ideas, this paper presents the design and implementation of a packet based anomaly detection prototype system on Linux platform, which is aiming at protecting important Web servers. Based on the analysis of attacks' behavior, the prototype system examines attributes of TCP connections. While network-based intrusion detection systems usually detect packet headers or part of those headers, this system examines the packet payload as well as headers. Not only the attributes are detected respectively, but also the relationships of attributes occurrence are detected according to a set of conditional rules, which is generated automatically by a machine learning algorithm. This paper includes the architecture diagram and important flowcharts of the system, discusses in depth the generation and utilization of conditional rules, and presents the design of important moduleswhich perform the packet-sniffing, muti-variant statistics and association detecting. Some key data structures are listed, with description of important functions in the implementation. Finally, a summary is given and some problems for further research are pointed out.