Research On Misuse Type Of Network Intrusion Detection Technology Based CBR Theory

At present, most of commercial Network-based Intrusion Detection System (NIDS) do well in detection with misuse detection technology. But if an attacker uses some evading detection techniques, the system will produce false negative and cause low detection rate. Case-based Reasoning (CBR) theory is an inferential model which retrieve most similar cases for new problems in case base, modify the best retrieved one and provide a solution. By introducing CBR theory to NIDS and similarity comparison, the system can effectively deal with those attack attempts which use the means of deviating detection rules.Supported by the requirement of research task of the Service Management and Control System in High Trustability Network project of the National High-Tech Research and Development Program of China (863 Program), this dissertation analyzed and researched the evading detection problem of existing misuse type of NIDS, proposed the system structure, algorithm and implementation scheme combined with CBR theory, solve the problems of evading detection effectively. This dissertation has researched the following main contents:1. System structure of Misuse Type of NIDS Based on CBR (C-MNIDS) is proposed. This system structure can achieve precise matching as well as similar matching. Thus it constructed framework of solving evading detection problem. It focused on the problems produced by CBR application in NIDS when designing system. On one hand, it designed a case base maintenance module structure based on layer mode to solve the problem of low retrieval efficiency caused by huge case base. On the other hand, it designed a CBR engine module structure with variable feature weights to solve the low retrieval accuracy problem caused by equal feature weights structure of traditional CBR engine. Based on above-mentioned module structure, it designed pretreatment module structure and detection case base case organization structure to construct entire system structure.2. Hybrid Ant-Fish Swarm Clustering Algorithm (HAFSC) is proposed. To solve the low retrieval efficiency problem caused by huge case base and combined with the character of C-MNIDS case maintenance structure, this algorithm improved tranditional Ant Colony Optimization Clustering Algorithm (ACOC) and Artificial Fish-swarm Clustering Algorithm (AFSC) to avoid some problems such as decline best state decline and algorithm prematurity. It get rough cluster utilizing improved AFSC at beginning of algorithm, then use improved ACOC to get more accurate results. Finally, apply this algorithm to case retrieval in order to reduce searching time and improve searching accuracy. The simulation results showed that this algorithm has much better clustering results and Applying this algorithm to case retrieval can reduce retrieval time and improve retrieval efficiency.3. Comprehensive Feature Weights Algorithm (CFW) is proposed. To solve the low retrieval accuracy caused by equal feature weights structure of traditional CBR engine and combined with the character of C-MNIDS engine structure,this algorithm get more accurate results by designing relevant adjusting methods based on analyzing the advantage and disadvantage of subjective weights and objective weights. It deduced adjustment coefficient utilizing above results to get final feature weights. The simulation results showed that the implementation method of this algorithm is simple. It effectively avoid shortcoming of subjective weights and objective weights, reduce the error rate of retrieval algorithm and improve the matching accuracy, specificity and sensitivity.4. The implementation scheme and test plan of C-MNIDS is designed. It designed implementation scheme of the pretreatment module, detection case base, case base maintenance module, CBR engine module according to C-MNIDS system structure and relevant algorithms. Detection rate test, false positives test and stress test are taken to test the performance of C-MNIDS. Those three test results showed that the C-MNIDS this dissertation designed can detect the attacks using evading detection techniques effectively and the best detection rate has reached 94.1% the false negative of the misuse NIDS.