Improve The Detection Accuracy Of The Distributed Intrusion Detection System

With the enhancing hackers' performance, intrusion behaviors become increasingly serious. The users of network have to adopt active defend technology and deep, various means to protect network security. Intrusion detection systems become more and more important in network security, the research and implement of which has been a vital task in this field.Experts in network security do plenty of research about intrusion detection system but current intrusion detection technology is still not very mature and has a lot of problems, such as ubiquitous simple detection means, weak recognition of unknown attacks, high false positive and negative rate, low detection accuracy, slow detection speed, feeble self adaptive and response capacity and limited support to large scale and high speed network. Most domestic intrusion detection products are still in their primary stage, a long distance to oversea research in abnormal detection and a blank in hybrid detection realm. With intrusion measures ceaselessly changing, intrusion detection system faces austere challenges and need to be improved.Aiming at low detection accuracy and weak self-adaptive capacity, this thesis analyses the reason and presents an approach to solve those problems, which is a distributed intrusion detection system, using hybrid detection method. This system adopts distributed framework. Each intrusion detection agent uses the combination of misuse detection and abnormal detection method and is coordinated by the manage center. Detection errands are allocated to detection agents of every network, which solves the problem of data collecting in large-scale network and it can enhance detection speed. Misuse detection and abnormal detection mutually improve each other to enhance detection accuracy rate.This thesis deeply research network intrusion detection agent in detail. Intrusion detection agent uses hybrid detection method to detection intrusion. It uses monitor means to collect data packet of local network, and preprocessesdata according to detection module demands. Both misuse detection module and abnormal detection module detect attacks at the same time. This system assembles and analyses detection results resulted from two detection methods, applies the feature of mutual enhancement of both detection methods, at the base of exact recognition of known attacks, to improve the detection capacity of system to detect unknown attacks. Attack alarms are divided into two classes: attack and suspect attack and are responded according to the established response policy, which avoids over-high mistake reports disturbing manager.Network intrusion detection agents can warn the management center the detected attacks, receive refreshed information of detection rules sent from management center in the meantime and automatically refresh detection rule database. Management center validates detection agents to affirm self-security and robustness.Facing the problem of weak self-adaptive capacity of intrusion detection system, this thesis do some elementary research about self-adaptive intrusion detection based on ameliorated ART-2 neural network.Under the Windows2000 environment, the system is developed with VC++6.0. Through experiments test, this system, to some degree, improves accuracy and self-adaptive capacity of intrusion detection system, enhances network security and has some research value.