Hybrid Intrusion Related Abnormal Flow Detection Algorithm And Simulation Research

The intrusion detection technology is an important part of the network security protectionmechanisms. The net work security has become more serious in recent years. Informationsecurity is facing a serious threat. Network security protection mechanism ushered a more severechallenges. With the diversification mechanism network attacks and intrusion detectiontechnologies existing many problems, a single intrusion detection technology has been unable tomeet the current security needs due to the low case base search efficiency, the complexity ofanomaly detection model “training” and false positive rate of anomaly detection problems and soon. It makes the study of a variety of mixed intrusion detection system and improvingcontinuously the detection performance of the hybrid intrusion detection system to become a hottopic.Based on the advantages and disadvantages of the anomaly detection and misuse detectionin the current intrusion detection systems, online flow anomaly detector, misuse detection basedon CBR and hybrid intrusion detection system are presented. Firstly, case reduction algorithmbased on mixed group is proposed. It will reduce the security search scale and improve thedetection function of the intrusion detection system based on CBR. Secondly, as to the featurethat the related flows can break the flows equalization, Related Flows-based Anomaly Detectoris introduced. Finally, the hybrid intrusion detection system, which has been demonstrated bysimulation example, is put forward, and the specific deployment diagrams, simulationenvironment topology structure are also stated. The details are as follows:1.For the phenomenon that the scale of the case library is so large as to lower the searchperformance, designed the case reduction algorithm which can cluster the case library based ongroup optimization algorithm. Each cluster forms a cluster center. Search algorithm first locatesclusters, and then starts to search, at last, make the simulation from the point of view of themixed group to reduce the accuracy of the algorithm, clustering results and searchtime-consuming. The experiment shows that with the conditions of the case library is less than20K and keeping the clustering accuracy, the average search time-consuming reduces33.5%, andthe more income the case scale, the more search time-consuming reduce it showed.2.According to the problem of network related flows anomaly detection, the thesis studiedthe basic elements and the characteristics of net anomaly, using of the feature that the relatedflows can break the flows equalization, Related Flows-based Anomaly Detector is designed forthe detection of anomaly flows. A relatively simple and effective statistical test method is used to identify the flows with strong correlation. The test is based on the assumption of independentflow through links. At last, make the simulation to the algorithm from the algorithm of theabnormal triggering of the contents of the data, the performance of the test, the time complexityof the associated stream. The experiment shows that the false alarm rate is in the scale of0.001~0.1.Compared with some other algorithms, the detection rate of this kind of algorithmsincreased28%by an average.3.According to the design and implementation issues of intrusion detection systems, thehybrid intrusion detection system is put forward on the basis of the CBR system and relatedflows anomaly. And the two subsystems are also described in detail. As for the hybrid intrusiondetection system, the specific deployment diagrams and simulation environment topologystructure are stated. The usability of the detection system designed in this paper is tested from thesimulation of detection rate, false alarm rate and stress.