Research And Design Of Scenario Intrusion Detection Based On Sequential Pattern Mining And PN Machine

The rapid development of information technology brings a lot of network security threats with natural problems, such as various purposes of network attack is more and more frequent, lead to information leakage property losses, especially in recent years the OpenSSL Heartbleed loopholes and various zero day vulnerabilities. Intrusion detection technology has become a social major problems needed to resolve. The current means of attack from transfer protocol layer network attack, to use all kinds of loopholes, Trojan virus to gain access and permissions and other application layer R2L (remote to local) and the U2R (user to root) attack. Capture the flow of data on the network layer is normal, but depend on the order of events, will be a message or command in a certain order, constitute an attack. Another attack sequence of small changes and variations derived a lot of new attack will disable intrusion detection based on pattern matching. Detect the U2R and R2L attacks and its variants in the application layer attack, to attack the depiction of more rigorous and detection more accurate, has become one of the key points and difficulties of the current intrusion detection.For deficiencies in the current application layer U2R and R2L attack intrusion detection methods, the paper intrusion detection mechanisms have been studied, the work accomplished as follows:To study the Mining attack sequence data from attack, the attack is a known sequence variants and derived by the organization into a type of attack, to form an intrusion scenario technique is proposed based on the scene sequence mode and PN (Petri Net) machine model for intrusion detection. After the raw data preprocessing, through the application layer protocol analysis of recombinant session, to restore the intention of the attack, extraction protocol features distinguish the invasion as an input sequence pattern mining sequence to give frequent attack, attack during research and state of the object changes of internal relations, design strategy, so as to obtain critical attack sequence; key attack sequence equivalent transformation and topological sorting, all variants of the attack and attack tissue-derived into a scene, to extend the formation of a scene or a class of intrusion intrusion; tectonic intrusions expression type, the operating behavior of an expression converted to a PN machine, so that concurrent described the attack sequence and testing. Can be detected only appear once characterized by the application layer attack sequence, attack detection problem solving and unknown variants of attacks.Experimental results show that by CPNTools simulation tools, mining attack sequence data from the application layer session, based on the scene to build and test a class intrusion PN machine to achieve certain attack signatures to detect an attack sequence occurs only once objectives; unknown variants as attack a new form of attack to achieve detect known attacks and unknown variants of the target of attacks, and thus from the sense that the methods described herein can detect new attacks. Model complexity, but also reduces the complexity of Petri nets for intrusion detection, slowing the state combination of complexity, making it more precise characterization of the attack, more accurate detection and expression.