Research Of Network IDS Based On Mining Analysis Of Data Stream

Intrusion Detection System (Intrusion Detection System, hereinafter referred to as the IDS) has divided into three kinds--the based on the host, based on the network and a distributed Intrusion Detection System. Its technology has divided into Misuse Detection (Misuse Detection) and Anomaly Detection (Anomaly Detection) two kinds. Misuse detection is based on matching intrusion feature library, and this model distorting rate is low, rate of fail is high; Anomaly detection is based on the analysis of characteristics of the behavior, and this model low rate of fail, distorting rate is high. How combine the two methods of effective of current network security field study is one of the important problems. Misuse detection system has a typical representative of the open source software system called Snort. Snort is open source network intrusion detection software; it uses the rules driving of language and the plug-in expanded form. It can real-time analyses data stream of network packets and system logs for auditing. Snort function is very strong, its code of simplicity, free and portability makes Snort become is most widely used intrusion protection and detection system, and became in fact of the industry standard. And anomaly detection technology has been in the theory of research, which is based on the data mining method of study, but there is still no more mature and perfect the system. Data mining is the deepening of knowledge discovery concept, is the artificial intelligence, machine learning and the combination of the database.This paper based on the network intrusion detection system (Network IDS, hereinafter referred to as NIDS) analysis, focuses on the research of network data stream anomalies detection algorithm. Network data stream belongs to the typical data stream types of data, from the point of view of data stream analysis, anomaly detection can be viewed as how to find the problem of abnormal data stream, the question belongs to data mining areas of outliers’ analysis. And for streams of data mining analysis question also is a new challenging topic in the area of data mining. Because the data stream with mass, the characteristics of the dynamic change, make the traditional data mining algorithm to the analysis of the data stream effect is not very good, how to improve the existing data mining algorithm which can be effective detection data stream of abnormal behavior, is a difficult and hot issue of the current data mining areas, one of the difficulties is requests the algorithm can only a limited times, or the scan data set and require algorithm processing speed of line speed. Among them is representative of the algorithm is CluStream algorithm of data stream clustering. This paper, based on the CluStream algorithm is put forward a kind of improved double frame structure called ADStream algorithm which used anomaly detection of the data stream, this method can online process data stream of clustering, save the cluster data feature information, the cluster characteristic information to be saved in a tilt time framework. In addition, the algorithm can save the characteristics of the information used to offline k-means clustering analysis, get abnormal data stream. Finally, this anomaly detection algorithm and Snort system combined, construct a new will have the ability to misuse detection, and has the ability of the anomaly detection network intrusion detection system.