The Research Of Distributed Intrusion Detection Based On Data Mining And Complex Event Process

IDS has been developed a dynamic monitoring system intrusion prevention or below the safety mechanism in the last 10 years. It detects unauthorized use of system users and system intruders outside the system's security flaws of the system intrusion attempts, mainly through the monitoring network system status, behavior and the use of the system. Combining to traditional preventive security mechanisms, IDS is of intelligent monitoring, real-time detection, dynamic response, easily configuration and so on. The need to constantly update the IDS expert system rule base in order to keep up with the invasion of technology, knowledge-based engineering methods of early intrusion detection system in the extraction of features of user behavior and the establishment of normal or abnormal contour mode, the invasion of the method and system has been Vulnerability analysis, and based on "expert knowledge " hand-write the system-specific approach has long been the lack of environmental effectiveness, adaptability, extensibility and scalability. With data mining technology to automatically extract data from a large number of the advantages of the model has been widely quoted in the intrusion detection system, and using data mining technology capabilities and induction of audit data mining algorithms to analyze massive amounts of data to automatically discover new Model. Most of existing data mining-based intrusion detection systems just collects network data packets with the existing attack pattern matching to find the intrusion. The efficiency of this method for common intrusion detection is high, but for some new, unknown attacks is often powerless. It was made even if the current dynamics of the IDS. There are high false negative and false alarm rate, and the need for hard disk mass storage of data to support the algorithm.This thesis focuses on the current performance of IDS systems are not integrated very well, to meet the actual needs of the shortage of network security, put forward a complex event processing technology and data mining techniques applied to intrusion detection system together with the research work. Paper includes the following:1) According to the learning and researching of the data mining and complex event processing technology, intrusion detection system to find them in the necessity and feasibility of this design based on data mining and complex event processing in distributed intrusion detection system, and System architecture is given.2) complex event processing technology based on real-time, intelligent, early warning, low coupling, low-cost advantages to avoid the costly use of mass data storage disk. The volatility of complex event processing technology to a large extent, improve the article mentioned the portability of intrusion detection systems, so that future changes to become very convenient. Therefore, the proposed complex event processing technology will greatly improve the overall performance of intrusion detection system.3) The system is defined in the data analysis system, a data mining module, the use of cluster analysis algorithm and FP-tree based analysis of association rule mining algorithm rules. Automatic updates of intrusion rules. And the rule base in order to prevent excessive expansion of the invasion, an invasion of proposed rule base optimization.4) According to the actual needs of intrusion detection system will be based on data mining and complex event processing in distributed intrusion detection system is divided into three subsystems:data acquisition subsystem, data analysis subsystem, the response subsystem. This intrusion detection system as whole is an Oracle CEP IDE application, the various subsystems into the Oracle CEP EPN, so that really a system of coordinated and efficient work.5) The development of this article based on data mining and complex event processing, distributed systems were carried out functional testing, stress testing IDS evasion testing and performance testing, test results show that the system has a good comprehensive intrusion detection capabilities, and in the detection accuracy on You Some improvement. To meet current security needs, has a certain theoretical and practical significance.