Design And Implementation Of Distributed Ids Based On Data Mining

Along with the fast development of the network technology and the universal application of the network environmental, the safe problem in network is increasingly outstanding. The traditional Encryption techniques and the Fire wall technique can't meet the expectations fully. And as a safe means, an Intrusion Detection technique has displayed its important role. IDSs watch the computer and network traffic for intrusive and suspicious activities. They not only detect the intrusion from the extranet hacker, but also the intranet users. Following tradition security protect technology, such as firewall and data encryption, intrusion detection, which can prevent the network from being attacked by hackers.Since new attack methods occurred continually, especially some cooperated intrusions, there are many new problems to be faced and solved when doing research on intrusion detection. The early developed centralized intrusion detection systems cannot prevent this type of attacks effectively. Now the research trend on intrusion detection systems is to design and build distributed intrusion detection systems. In a distributed intrusion detection system, multiple detection entities monitor different hosts and networks. The entities cooperated with each other to perform the detection task.This paper applies the data mining technology in the intrusion detection, designed and has implemented an distribute intrusion detection system based on the data mining (DMDIDS).The paper details the definition of intrusion detection, the background and the status of the research on intrusion detection system (IDS).At the same time, the paper analyzed the application of data mining technology in intrusion detection system. We designed and have realized a distributed date mining-based intrusion detection system in this foundation. The system is composed of the console and many detection agents in the different subnet, which is equal to a signature-based intrusion detection system. At the same time, we have also implemented a data mining engine, which dredged up and withdrew the signature from the network data set, then obtains using the rule transformation procedure the rule which the agent may use, and finally the rule which produces is distributed through the console to all detection agents.We design and implement the network visit behavior monitoring subsystem. We capture all data packets appear in the specific network using the Libpcap development package, and monitor all network visit behavior of host in the Ethernet using the protocol identify and recombined flow technology, record the network service condition of the interior users the local area network, and read the specific network behavior in the log or the database.We design and implement a signature-based distributed Intrusion Detection System. We construct a self-contained attack signature library through analyzing existed attack and withdrawing the signature, and we enhance the correct rate and the efficiency using the date recombined flow technology and the protocol analysis technology. The system is implemented by the centralized control console—agent structure, intrusion detecting by the detection agent, and the console controls and manages detection agent to distribute on the in various subnet. At the same time, the console may detect distribute attack which single agent is unable to detect.