| With the more and more invasion on the network, systems and network security has become a hot area in recent years. Now, because firewalls and other security schemes can not meet the requirements of security, intrusion detection becomes the hot issue in the field of security. Intrusion Prevention System is introduced under such a case. It can not only detect the known invasion, but also can detect parts of the unknown attack on the net. IPS can also defend the attacks and protect the system, while the intrusion detection system can not.However, the traditional IPSs usually detect the attacks basing upon the local information. That is, the IPSs do not exchange the information. Such a framework stops us from using the global information to detect the intrusions. In this paper, we combine the data mining, especially the sequence pattern, and the distributed architecture. We use sequence pattern matching approach to analyze the information gathered by many independent intrusion prevention systems in an integrated manner, which makes the intrusion detection more accurate.In this dissertation, we study and realize the main modules of the intrusion prevention system. The major works of this thesis are as follows:Firstly, the hierarchical sequence data mining algorithm for time-series data is brought into the intrusion prevention system. This method firstly stratifies the multi-dimensional time-series behavior sequence, then finds out frequent items, and finally generates the association rules. The association rules, which are multi-dimensional, can accurately detect more intrusions basing upon more information, when they are used in the intrusion prevent system.Secondly, we proposed the double-layer intrusion prevention system architecture. This system architecture consists of two layers: local systems and interactive systems. The local systems are some centralized architecture. In the local system, there are some probes for the capture and initial analysis of the local network data, and a data processing center, which is responsible for managing local information. The data processing center is the center of the local system nodes. Interactive system is a purely distributed architecture. The nodes in the interactive system are the data processing center in the local systems. Interactive system is used to share and exchange the information among the data processing centers to gather more evidence to discover attacks.Finally, based upon the proposed intrusion prevention system architecture and solutions of the key technologies, we designed and implemented a double-layer intrusion detection system. Through real-world network data and some data of the simulation attack, we tested this system by two aspects, function and performance. The test results show that the proposed double-layer intrusion prevention system is with high accuracy and high performance.In general, double-layer intrusion prevention system using behavior sequence pattern matching, has a performance that is superior to the traditional intrusion prevention system. Using this system can effectively defend the common network attacks. |
PDF Full Text Request