A Hybrid Intrusion Alarm Analysis And Research Based On Support Vector Machine

With the sharing and open characteristic of internet, a big challenge in the information security based on current global environment is put forward. Attacks which take advantages of these vulnerabilities in operating systems, hardware, applications, networking protocol are more and more severe. Existing intrusion detection system whether it is misuse-based or anomaly-based produces a huge number of alarms, and contains a large number of false alarms. Alarms analysis is a trend. Under the premise of guaranteeing detection rate and reducing the intrusion alarm false rate, analyzing and filtering original intrusion alarms to get as much as possible attack alarms is a research direction in the field of intrusion detection.Combing data mining and intrusion detection is a hot research topic. This paper discussed intrusion detection based on support vector machine. Research Background was an actual attack scene of worms and tool attacks in enterprise internal risk area. Proposed a hybrid intrusion alarm analysis model based on the attack process and support vector machine. Original data came from both networking and host which could comprehensively response the status of the monitored networking or key host.This hybrid intrusion alarm analysis model based on attack process and support vector machine is consist of an alarm analysis method based on the attack process and an alarm filtering method based on support vector machine. Firstly this paper researched the attack model of worms and tool attacks. Detailed compared the worms and tool attacks in each attack process. Based on that comparison, we collected and confirmed the most operational and significantly different features in attack process, then proposed an alarm analysis method based on the attack process. This method distinguished between worm attacks and tool attacks against system vulnerabilities and associated with the anomalous events to the source IP address of the attack. According to a large number of false alarm and redundant alarm in original alarm, this paper proposed an alarm filter model based on support vector machine. Support vector machine is a data mining algorithm which had a natural advantage in dealing with small samples, inseparable high-dimensional data. Through comprehensively considering of the characteristic of a single alarm and the statistical information of the multi-alarm, paper determined the feature vectors.In this paper, according to the alarm analysis method, we designed a set of detecting worms and tool attacks intrusion detection system. Finally the system is validated by an example. The experiments show that the validity of the proposed model, and has some practical value.