Improvement And Implementation Of Intrusion Detection System Based On Snort

With the rapid development of information network, the people’s life and working methods have evolved more efficient mode. Openness and Interconnection, which are the feature of internet, endow the internet with the natural advantages of speediness and widespread infinitely activating the economic, cultural and intellectual development. However, as people’s dependence on network in many fields being more and more badly, the problem of information security is highlighted. Because of the great value of the network data security, information security has become the focus of many research organizations and network security companies. It’s extremely urgent to know how to ensure the security of information networks, screen and prevent attacks and intrusions.In this case, all kinds of special intrusion detection system （Intrusion Detection Systems, IDS） appeared in succession. Among them, the development of the earliest and most famous is Snort[1] written by Martin Roesch. Snort can effectively protect the information security system, which is placed great importance by the field of the network security. However, with the expansion of its application fields and demands of people, Snort is still exposed some defects. As a kind of network intrusion detection system based on misuse detection （Network Intrusion Detection Systems, NIDS）, Snort’s simplex detection depends on its rule bank, many normal behaviors of the data have to be detected one by one according to the rule bank, which make it easier to misjudgment some normal behaviors. The defect may cause the system’s false alarm rate and the false negative rate being higher. The rules are stored in the form of text files which can’t be adjusted dynamically according to the actual situation of the network, resulting in the low rate of system detection. In addition, the matching method Snort used based on feature will report immediately as long as the detected attacks, which make it easier to cause the alarm flood, flooded the real intrusion events.This research caters to the development trend and requirements of network security. Based on full understanding of Snort IDS, according to the above the three points, this design achieves an improved, multi-module and high performance Snort intrusion detection system. The system makes full use of Snort’s open source and flexibility, adding three function modules based on the original Snort system （abnormal behavior detection module, rules for dynamic optimization module and the alarm flooding suppression module） against the defect of Snort intrusion detection system. Among them, the abnormal behavior detection module filtering normal behavior data, reducing the workload of the rules of Snort detection engine. Dynamic optimization module adjusts the order of rules in the text according to the actual environmental of internet. The alarm flooding suppression module effectively solves the phenomenon of the flooding alarm.At the same time, the system integrates the popular data mining technology into the process of system improvement. This paper acquaints the data mining K-means clustering algorithm in-depth, moreover gives an improved K-means clustering algorithm according to its two defects difficultly to estimate K value and sensitive to the initial clustering center. The algorithm uses effectiveness of K value as the basis of judgment to confirm the K value and the algorithm of dynamic clustering centers determine the to determine the initial clustering algorithm, reducing the number of iterations of clustering, obtaining a stable clustering result, to improve the clustering performance. The design of intrusion detection system uses database of normal behavior patterns of the abnormal behavior detection module creating by the algorithm, improving the detection performance of the system.Finally, the design accomplish the construction of the system and the realization of function, then test the performance of the system using kddcup.data₁0_percent to test data, comparing each performance index of traditional Snort intrusion detection system and that of improved system. The experimental results show that the improved Snort in intrusion detection system has been obviously improved in detection performance.