| With the development of Internet technology,the problem of information security has gradually been paid attention to.So,intrusion detection has a vital role,however,the existing intrusion detection systems lack sufficient semantic analysis on the data,based on a single data judgment making the detection rate is not high,and there is a possibility of false detection,this increases the burden on security administrators to analyze data.The provenance based intrusion detection system has a large amount of data,and the intrusion detection time is long,leading to can not be timely to determine whether the invasion.To solve the existing problems,the optimization of provenance based intrusion detection system is proposed,so as to improve the efficiency and real-time of the system.The system adds intercept function in collection to collect information related to intrusion detection to accelerate the collection speed and reduce the storage space;in view of the low detection rate and high false positive rate,proposing a method combination of graph and path,the method uses the graph,rather than only consider a single path to detect intrusion,with path algorithm,to avoid interference of intruders,making the results more accurate,the rule database is updated in real time when the test result is normal and output alarm when the result is abnormal;according to a large number of repeated information in the rule database,the coding method is used to compress the rule database.Experimental results show,the system is decreased by 78%~80% compared with provenance paths based on detection system on the storage space,decreased by 42%~71% on detection time,increased by 5%~7% on accuracy rate;compared with system calls based detection system,the system is decreased by 73%~92% on the storage space,decreased by 46%~75% on detection time,increased by 8%~35% on accuracy rate;the system sapce overhead is also within an acceptable range. |
PDF Full Text Request