Network Intrusion Detection Based On Windows Driver Filtering Technical Research

With the rapid development of Internet technology,the massive data generated by tens of thousands of network access points has brought unprecedented challenges to cyberspace security.The data sources of intrusion detection system mainly come from: Operating system,System program,application and network data information,detection system through the above areas to closely monitor,found that violations of security rules and harm to the security of the system behavior,A powerful intrusion detection system is essential to ensure the security of computer system resources.Nowadays,with the continuous upgrading of technology and the rise of big data,cyber attacks have also presented new features such as complexity,diversification and automation.Moreover,the performance of early detection systems has been difficult to meet current security requirements.In order to cope with the frequent multi-target,distributed and concealed malicious attacks,a network-intrusion detection technology based on Windows-driven filtering is proposed.The main work of this research is as follows.First of all,the basic concepts of intrusion detection are introduced and clarified,and then the existing deficiencies are proposed and analyzed according to the current status.Next,design and implement a kernel layer-based network data acquisition driver and user layer data processing program according to the current technology.The intrusion detection model is mainly divided into two parts,namely,a network data acquisition driver located at the kernel layer and a data processing program at the user layer.Secondly,the whole detection system is logically and functionally divided and designed: the system is divided into a data acquisition module running in the kernel state,a data collaboration module running in both the kernel state and the user state,and analysis and data storage module running in the user state.For the data acquisition module,the Windows filtering platform technology(Windows Filtering Platform,WFP)is mainly used to implement a kernel layer network acquisition model.In this model,the intercepted data is initially filtered: a misuse detection method is used to filter out the obvious examples of cyber attacks.For the data collaboration module,the key technology of data interaction analysis is analyzed,and the interaction strategy between the kernel-layer data acquisition driver and the user-layer data analysis application is designed and implemented.This strategy ensures large-scale,real-time data interaction between kernel-mode drivers and user-mode applications.For the data analysis module,it is mainly responsible for summarizing and sorting the network data acquired from the kernel,thereby generating a number of network connection instances that can be used as input by the analysis program.Finally,the current application of machine learning in the field of network intrusion detection is introduced,and then the general application process of machine learning technology in the field of network intrusion detection is analyzed.In addition,the well-known UNSW-NB15 network integrated data set is adopted,and its preprocessing and feature extraction are realized.Finally,extremely randomized trees learning algorithm is used to train the classification model and analyze its performance as an anomaly classifier for the entire intrusion detection model.