Data Mining-based Network Intrusion Detection System

Network intrusion detection is the new generation of security technology after the traditional safe protective measures, such as "firewall", "data encrypted" etc, are developed, it discerns and responds to the hostile behavior of the computer and network resource. Data mining technology is applied to the network intrusion detection; the precision of the detection will be improved by the superiority of data mining that deal with a lot of data well.To capture the network data is one of the important steps in network intrusion detection system. First, this thesis designs and implements a capture system of network data, the system captures* and analyzes network data stream, and turns them into the network connection records that reflect the network connection property correctly.Through the analysis of the current intrusion detection approaches and the observation of the characteristics of network data packets, this thesis brings forward "network real-time intrusion detection system based on data mining (DMNIDS)" model. The model is constituted with the rule-made module and the real-time detection module. In the rule-made module, DMNIDS builds a classification model with NaiveBayes algorithm. The network connection records are classified into normal behavior rules and abnormal behavior rules by the classification model, it is called rule sets, the thesis takes the abnormal behavior rules as the rule sets for real-time detection; in the real-time detection module, DMNIDS uses the developed capture network data system to capture the data on time, then it compares the similarity of the current network connection records with the rules of the rule sets to discover the hostile behaviors.The process of building network intrusion detection system (IDS) by the traditional methods has the limitation in building speed and renewing, and in the face of the growing complicated network environment and the increasing new attack means, IDS could not meet the need in availability, self-adaptability and real time. However, DMNIDS uses data mining technology to analysis and deal with network security audit data to improve its availability; it trains the classification model periodically and renews data sets timely to assure its self-adaptability; it captures real-time network connection records and judges intrusion behaviors by similarity to satisfy the real-time requirement.Finally, the experiments were done, and it validated that DMNIDS model is satisfied in its precision.