| As the internet and computer is becoming popular, the info transmitted in the network involves all walks of life. And the network security problem has become a focus of attention. The static defense methods such as firewall isolation and network access control already can’t satisfy the needs of the current. So the intrusion detection system (IDS) who can take the initiative to detect and report the unsafe behavior arises at the right moment.In the actual application, however, most of the IDS have the following defects: high false negative rate, high false positives rate and a large number of repeat alarms, and they are avoidless, so the alarm fusion technology is put forward. The purpose of alarm fusion is to lower the false negative rates, reduce the rate of false positives and also reduce the duplication of alarm. Through alarm fusion, the administrator can clearly see the network’s development trend. However, most of the alarm fusion methods at present just focus on how to reduce the duplication of alarms, there is little research on how to reduce the rates of non-response and false positives. In this paper, we present a new fusion algorithm which can solve the above problems in some degree. The new algorithm can reduce the non-response rates and the false positives rates while keeping the detection rate. It is verified through the KDD99data set. At last, for the alarm-repeated problems, we also proposes a dynamic time threshold alarm fusion algorithm, it can adjust the time threshold dynamically according the specific alarm amount which can make the model more close to the real situation.This paper does some study on the following items:(1) Analyze the structure characteristics of the current IDS and the popular intrusion detection technology (IDT). Make a detailed research on the principle, classification, and specific detection methods of the IDT. At last, look forward to the future of the IDT.(2) Discuss and analyze in depth the four kinds of main alarm fusion technology. Summarize the pros and cons of every fusion technology. Make an analysis of the current problems existing in the fusion technology, and put forward the improved ideas.(3) Integrate the idea of support vector data description (SVDD) of one class support vector machines (SVM) into alarm fusion, combining with simulated annealing (SA) at the same time, the new algorithm not only can eliminate the redundant features, reduce the interference of irrelevant attributes, but also can reduce the alarm non-response rates and lower the rate of false positives through using several classifiers to detect intrusion and the center to make the final decision.(4) Due to the particularity of the time attribute in the information of alarms, this paper presents a new alarm fusion algorithm based on dynamic time threshold. According to the alarm amount, the time threshold can be adjusted dynamically. And through this method, the alarm’s number is greatly reduced.Finally, make a simple summary and analysis of all the work of this paper, and at last, present the major direction of future work. |
PDF Full Text Request