Design And Implementation Of Intrusion Detection System Based On Data Mining

With the popularization of Internet applications,network attacks have gradually become frequent.Therefore,some network security tools have gradually been welcomed by users because of these attacks which have brought great hidden dangers to users' information security.Suricata,as a new type of intrusion detection system,can analyze network traffic through multithread technology,and filter the traffic according to the internal rule repository,so as to achieve efficient detection of network intrusion.The Suricata system performs matching based on the rule base to discover intrusion behaviors.When the network traffic becomes huge,the full matching rule repository will reduce the intrusion detection efficiency and even cause the Suricata system to go down,which is particularly obvious in server-side applications.Meanwhile,this matching behavior ignores the data relationship between features and increases the rate of intrusion false positives.This thesis takes into account the shortcomings of the Suricata system,and redesigns Suricata system based on data mining algorithm.The system dynamically expands the capabilities of the Suricata system through the analysis of network data flow,thereby achieving the efficient and stable operation of the Suricata system.In the overall implementation above,this thesis designs a packet shunting algorithm and a rule repository update algorithm to realize the improvement of the Suricata system.The shunt part of the algorithm and the rule repository update part form a closed-loop system,so that the Suricata module can adaptively process the network data,especially in the face of large server applications,the system can have higher availability.Overall,the work done in this thesis mainly includes the following aspects:1.Split data flow: Use K-means which is one of data mining algorithm to learn the relationship between data packets offline to split the network data,and the traffic determined by the split algorithm as suspicious is further detected in the Suricata system.Under the processing,it can cope with data pressure and reduce intrusion false positives by strengthening the relationship between data packets,2.Update the rule strategy dynamically: the algorithm will dynamically update the backend rule repository of the Suricata system according to data generated by data mining algorithm to improve the availability of the system,which allows the dynamic update of the Suricata rule repository,and avoids the frequent occurrence of servers to restart or downtime with full matching rule repository.3.The improved algorithm and Suricata algorithm were tested in both the false alarm rate and the detection rate.The test results show that the algorithm designed in this thesis reduces the false alarm rate by more than 50%,while in the detection rate,there are more than 40%promote.