With the expansion of the network size and the increase of data origin and quantity, the abnormal behavior of network was becoming more and more rampant. The traditional network monitored and controlling method had no longer been able to help the network management personnel to understand the network situation and trend. Along with it, the network situation awareness (NSA) technology was proposed to synthesize various informations, and offered high level network security image. Its main data source included the Netflow records from backbone, and the alerts created by Intrusion Detection System (IDS) in the local area network. This paper focused on solving the intrusion detection in local area network. The abnormity had been detected was offered to the high-level analysis as an influence index for NSA.To the local area network level, NSA needs to know the appearance of anomaly in real-time and also can detect the new ones. Nowadays, most network IDS uses the simple pattern matching technique, which can only detect the known attack. The IDS based on the biological immunity can distinguish the illegitimate behavior (oneself) and legitimate behavior (self), and also can recognize the abnormities that had never appeared. It can assure the security of the object in the continuous changed environment.The main works of the paper were as follows: Firstly, it proposed a new detector production algorithm to improve the time efficiency in the existing ones. This algorithm realized detector's renewal mechanism and increased the detection rate and speed. Secondly, it taked the thorough research and the analysis based on the dynamic clone selection algorithm proposed by the Kim group, and brought forward the improved intrusion detection model. This model added the self characteristic pattern modules for majority of the data are normal in the real network. By the way, it produced a few self pattern collections carried on processing to handle the normal data. Only the data that deflected from the existed pattern would carry on the next step. Furthermore, it accelerated the model processing speed, simplified self scale, shortened the endured periods, and reduced mistaken detection rate. At the same time, this paper emphatically studied the feature extraction based on the TCP/UDP connection, elaborated the detector phenotype to the genotype mapping, and completed the coding of the detector and packet, which is the foundation of the realization of the intrusion detection model; Finally, some aspects of the original detection model had been revised in details. And there were some processes that had been taken to the false retrieval memory and mature cell, and the overdue mature cell. It also elaborated deletion strategy of the deleting memory detector set.In order to confirm the model effect and increase the detection precision, these papers did simulations on the KDD CUP99 data set, and analyzed the details between the improved model and the traditional dynamic clone selection algorithm. The simulation results showed that this new model has good detection performance and efficiency. |