Intrusion Detection Model Based On Time Series Study

Intrusion detection technology is a kind of technology which detects the attempt to destroy the computer resources' integrity, secrecy and availability. Intrusion detection technology, based on the general intrusion detection model presented by Dorothy Denning, has been a long development history for twenty years. People has applied autonomous agents, data mine, expert system and model reasoning to the intrusion detection field, and the new knowledge makes the intrusion detection technology develop at a rapid rate. But the current intrusion detection models have lots of disadvantages.In this thesis, We, based on analyzing and comparing the current intrusion detection technology, such as anomaly detection technology based on statistics methodology, data mine or autonomous agents .misuse detection technology based on expert system or model reasoning, indicate that the relation among the attack events don't been resolved in these models. We present a new intrusion detection model based on timed sequence. There are normal state, danger state, attacking state and update\creat model state in the attacked system, with a view to the influence of attacker's attacking sequence on the attacked system. The new model can resolve the unresolved problem such as the relation among the attack events, the model forecasting and the model preventing.We use Petri Net to model the new intrusion detection model, and we make the qualitative and quantitative analysis of reachability and complication degree, and then we use C++ builder 6.0 to fulfill the model's reachability property and performance analysis. Subsequently we make use of the isomorphism property between the behavior of Petri nets with exponentially distributed transition rates and Markov process to acquire markov chain, and compute the subsystem's Mean Time to Delay and transfer probability of subsequencial state, which present the theoretical evidence for intrusion detection system's design.Finally, we utilize adding and keeping snort's (a kind of free and open soundcode) rules to evaluate the intrusion detection model's performance, and we reach a conclusion: when the system's state is danger state , there is a great probability of attacking and then we must adopt the strict intrusion detection strategy.