Research And Improvement Of Intrusion Detection System Based On Cluster Analysis

With the deepening of global technological change and the rapid development of network infrastructure,the Internet has now entered the era of big data and large traffic.In such an era,the means of network intrusion are more abundant and the consequences are more serious,as an important research topic in active defense system,intrusion detection is a technical direction that needs to be constantly improved and improved in the future development of security technology.Under the ever-increasing scale of network data,the hidden problems of traditional intrusion detectio n systems become mo re prominent,especially in dealing with the problem of traffic data collection and alarm information flooding in high-speed network environment,the existing intrusion detection systems show great limitations.Therefore,in order to solve the problem of high-speed traffic data acquisition and alarm information flooding in traditional intrusion detection system under the current internet environment,this thesis chooses the classical Snort system as the basic research platform of intrusion detection system,and improves the traditional intrusion detection system by combining the idea of zero-copy and clustering analysis technology.By optimizing the data acquisition module at the bottom of the original system,the design of the alarm information clustering a nalysis module is implemented to achieve advanced processing of the initial alarm data,thereby improving the overall performance of the intrusion detection system.Firstly,in order to capture the packet loss problem of the traffic data in the high-speed network environment,the intrusion detection system re-optimizes the data acquisition module of the original system based on the zero-copy idea.By combining the original system underlying data acquisition module and the PF_RING high-speed packet capture library,and collaboratively working on network traffic data collection,the system capture rate can be greatly improved.At the same time,combined with the characteristics of PF_RING ring buffer,opening the multi-process mode of intrusion detection system to collect and process data messages in parallel can greatly improve the efficiency of data processing.Secondly,aiming at the problem of alarm information flooding in intrusion detection system,a clustering analysis module of alarm information is designed by applying the idea of data mining to the further processing of alarm information,a fter the system identifies intrusive behavior and outputs primary alarm data,a clustering analysis module of alarm information is designed.In the clustering analysis module designed,it is innovatively proposed to use clustering analysis technology to optimize the primary alarm data processing,and the traditional K-means algorithm used in the cluster analysis module is optimized and improved based on the character istics of the intrusion detection alarm data.By integrating the improved K-means algorithm into the clustering analysis module in the process of processing alarm data,and combining with Weka application platform,the initial alarm data of intrusion detection system after feature processing and format conversion are analyzed,more efficient alarm information is obtained,which greatly improves the flooding problem of alarm information in intrusion detection system.Finally,according to the overall architecture design of the improved intrusion detection system,this thesis completes the implementation and deployment of the overall system,and performs functional testing of eac h module and the overall system.The experimental test results show that the improved intrusion detection system not only solves the problem of data packet loss and alarm information flooding under high-speed network,but also can avoid the false alarm of false positives in the intrusion detect ion system to a certain extent,the overall performance of the intrusion detection system is greatly improved.