| As a kind of active measure of Information Assurance, Intrusion Detection acts as the effective complement to traditional protection techniques. The dynamic security circle, including policy, protection, detection and response, can greatly improve the assurance ability of information systems and reduce the extent of security threats.In fact, intrusion detection technology can be regarded as the analyze process of network's audit data. With the development of operating system and network technology, the network's audit data has increased sharply. So in intrusion detection, we need study efficacious technology to deal with audit data. In the current research, we use data mining technology to draw characteristic models from tremendous amount of audit data. The application of data mining technology has become one of the most important researches of intrusion detection.The paper makes some researches of the application of data mining to intrusion detection system. It summarizes data mining technologies and intrusion detection systems in the first chapter, and subsequently the main content which the later chapters refer to, and illustrate the foundation and significance of the thesis. In the second and third chapters it introduces data mining and related problems, including the process, method, classification and application of data mining. It introduces intrusion detection system. The introduction includes system model, classification and related technology. The two chapters is the foundation of the further research of the later chapters.The study on application of Markov chain to the anomaly detection is in the fourth chapter. The method can identify the anomaly behavior in the condition that the users possess little knowledge of network security. There is a very important significance applying the method to the practice. The chapterindicates the experimental result of the single-step Markov and multi-steps Markov. The experiment shows the feasibility of the method.In the fifth chapter it intensively introduces the application of association rules to intrusion detection. At first, a variety of applied algorithms and improved algorithms are studied. Subsequently, it in the paper gives weighted association rules algorithm in order to solve the problem of improving detection rate but increasing false positive rate when association rules are applied to the detection system. The method can to some extent improve detection rate of the intrusion detection system, confine the produce of uninteresting rules, and decrease false positive rate. Finally the feasibility of the method through the experiment is proved.In the sixth chapter the application of sequence models to anomaly detection is studied. To begin with, it summarizes the present researches outside and inside our country. Subsequently, it gives the description of the algorithm AprioriAll and AprioriSome, and indicates the difference between two algorithms and their advantages and disadvantages. At last, the paper shows the experimental result and proves the feasibility of the method.In the seventh chapter it summarizes the whole paper and make a prospect of our research.Main works of the paper:(1) In terms of the application of Markov chain, Markov chain model used for anomaly detection is deeply discussed. The experiments indicate that the model can detect anomaly system behavior under the condition of poor system security know ledge.(2) In terms of the association rules, according to the normal behavior models mined from the training data of DARPA in 1998, the experiments indicate that the method can detect anomaly users behavior. Subsequently, weighted association rules algorithm is given in order to solve the problem of improving detection rate butincreasing false positive rate when association rules are applied to the detection system. The method can to some extent improve detection rate of the intrusion detection system, confine the produce of uninteresting rules, and decrease false... |
PDF Full Text Request