Research On Intrusion Detection Based On Statistical Feature

With the advent of the information age, the modern society becomes increasingly depended on the Internet, and the security of network has been paid increasing attention. The traditional network security technology cannot satisfy the demands of the rapid developing network. As an active security technology, intrusion detection technology is becoming a hot research field at home and abroad. And the application-layer traffic identification technique is the key to detect the application-layer intrusion in intrusion detection system.This thesis analyzes the deficiency of the existing IDS and traffic identification technique, uses two methods of probability statistics and support vector machine to model the features which are extracted from the dynamic flow. And the IDS is proposed by combining deep packet inspection technique and dynamic flow inspection technique. The major work is summarized as follows:Through the analysis of the current common network session traffic, the key features are extracted, and different statistical features combing with the probabilistic model are designed to describe the different features in network session from various applications; the relative entropy algorithm is used to analyze the similarity between two kinds of sessions, and the identify result is judged by a threshold value. Analyzing the factors affecting the relative entropy values, the thesis proposed an algorithm for filtering the statistical features of specific applications.Given the excellent performance of support vector machines in the field of machine learning, a thought about using multi-class SVM to model statistical features is proposed and the Directed acyclic graph support vector machine is optimized. A intrusion detection model using SVM for classification of statistical features is designed, and the experimental results show that this method can detect faster without sacrificing accuracy premise.A phased intrusion detection model is designed. Firstly this model filters network traffic initially by using the deep packet inspection technology based on field matching, and then makes a fine-grained detection by using a flow identification technology based on statistical features. The model is realized on Linux platform, the experimental results show that through the optimizing by deep packet inspection engine and feature selection algorithm, the recognition rate and throughput of this system have certain competitiveness.