Research On Discrete Feature Detection Alogrithms Of Instrusion Detection System

Malicious feature detection from network flows is an important area of network security.Internet is a special environment,in which the transmission of commands, files, and media information are devided into a large number of packets that have different heads and payload ,acoording to a variety of network protocols.Besides,there are some instability such as disorder packets,packet loss,network congestion,jitter and so on. This paper focus on discrete feature detection problem. Draw some colusions that based on deep analysis and experiment.In this paper,the existing detection methods of discrete feature are classified and analyzed. They're designed to replace session reassemble operations by keeping middle state during pattern matching process,which are actually implemented through modifying the classical pattern match algorithms.The algorithms need to check packets in single scanning,which solved the performance problem that caused by stream rebuild.However,most of the discrete feature detection method are limited in detection accuracy and lack of practice. In this paper,an improved discrete feature detection method is raised,which considers the advantages of both session reassemble and discrete match alogorithms.The experiments proof that discrete match alogorithms have vey low memory consume.Based on this trait,the improved method rebuild abnormal packets under certain conditions.Moreover,a self-adptive threshold control mechanism is proposed,which is designed to deal with abnormal network traffic such as congestion,achieve a better balance of perfermance and detection effect.Finally, a prototype system for detection of malicious file transmission is implemented,which chooses discrete feature detection algorithm as the core engine.It's mainly composed of rule analysis, flow management and detection engine components.The experiment result revealed the detection ablity of basic alogorithm and the impoved one.The system testing and performance evaluation finally proved the superiority of discrete matching algorithm and the improved one.