Research On Intrusion Detection System Based On Adaptive Multi-mask Sampling

With the development of the network,the security of the network is becoming more and more challenging.The more and more complex network intrusion methods make the research of intrusion detection technology highly valued by the international society.Although intrusion detection technology has obtained rapid development in recent years,the problems of false positive rate,detection rate,as well as the collecting,storing and analyzing of the mass data flow are still key issues constraining the development of intrusion detection technology.By studying the structure of intrusion detection systems,it is found that the key influences on system accuracy are data collection module and data detection module.With the in-depth research on data collection module,we find that multi-mask sampling algorithm has strong randomness,and it's able to reduce the flow,but it'shard for its fixed sampling rate to adapt to the demands of today's changeable high-speed network.With the in-depth research on data detection module,we find that the intrusion detection system based on k-nearest neighbor algorithm and that based on one-class support vector machine(OC-SVM)have their own advantages and disadvantages in false positive rate and detection rate.In order to solve these problems,two improvements are proposed in this thesis.(1)Aiming at the problem of fixed sampling ratio of multi-mask sampling algorithm,on the basis of it,we propose an adaptive multi-mask sampling algorithmin this thesis.At first,we need to set a maximum and a minimum threshold.In the case that link traffic increases sharply,if the number of samples captured in a certain period of time is larger than the maximum threshold,the algorithm will reduce the sampling rate,in order to prevent from occupying too much bandwidth,computing resources and storage resources;if the number of samples captured in a certain period of time is smaller than the minimum threshold,the algorithm will increase the sampling rate to enhance the system awareness of network steady.NS-2 simulation software is used to build a local area network,and add a variety of traffic.At a certain moment,by adding more services in the application layer to instantly increase the link traffic,a counter is set to record the number of data packets collected,and at a later moment,by reducing the services in the application layer to instantly reduce the link traffic,experiments are carried out with the improved algorithm to prove that the improvement is effective and feasible.(2)Aiming at the problems of its high false positive rate and false detection rate,this thesis proposes a new intrusion detection method based on k-nearest neighbor method and one-class support vector machine(OC-SVM).After the screening of k-nearest neighbor detection module,data collected by the data collection module has been divided into two groups,normal data and abnormal data.Becausek-nearest neighbor method has the problem of low detection rate,the normal data group is doped with a lot of abnormal data which is not detected.Then,this normal data group is used as the input of a one-class support vector machine.Due to its high detection rate,most of the missing abnormal data can be detected.We use MATLAB to carry out experiments,select training data set and test data set using KDD CUP99 public data sets,and then build a model by training the training data set.Finally,the model is predicted using the selected test data set,and it is verified that the new method has the characteristics of high detection rate and low false positive rate.