Research On Intrusion Detection Technology Based On Hybrid Honeypot

The rapid development of the Internet has greatly met the needs of people for information exchange,promoted the rapid development of technology,education,and culture,and has become an indispensable part of people's daily work,study and life.While Internet technology provides services to people,it also continues to bring about problems of various formats and poses a serious threat to information security.The healthy development of the Internet has benefited from the continuous improvement of intrusion detection technology.Intrusion detection technology has become an effective method to deal with network security problems,mainly due to its ability to collect the effectiveness information of different nodes in the computer system on the network,analyze and check whether there are malicious intrusion behaviors and signs in the network.Commonly used intrusion detection technologies focus on the "static" protection of the system,and cannot respond to unknown attacks in a timely manner.Actively responding to unknown attacks has become a challenge in the field of network security.The use of honeypot technology to build an active defense system can help with this issue.As a supplement to traditional network security technology,honeypot technology improves the proactiveness of intrusion detection technology and firewal ls in response to attacks.Based on the analysis of the current development and existing shortcomings of intrusion detection technology and honeypot technology,this paper proposes a hybrid honeypot system to detect and defend unknown behaviors,and uses data mining technology to analyze the data collected by the honeypot.Process,find out its internal connection,generate new intrusion detection rules,and update the intrusion detection rule base.By comparing and analyzing the experimental results of the improved intrusion detection technology and the traditional intrusion detection technology,it can be seen that the improved technology has increased the detection accuracy rate by8.45% and decreased the false alarm rate by 2.44% compared with the tradit ional technology.The specific work of this paper is as follows:(1)Due to the large amount of data captured by the hybrid honeypot,many noises,and high dimensionality,if the initial cluster center is not properly selected during clustering,the accuracy of clustering will be reduced.Therefore,this paper proposes the ACSFCM algorithm.This method uses the adaptive cuckoo algorithm to install to the optimal clustering center,which improves the drawbacks of the FCM algorithm's dependence on the initial point selection,and improves the overall clustering performance of the clustering algorithm.(2)Based on the improved clustering algorithm,the unlabeled collection of the hybrid honeypot is clustered.According to the characteristic that the amount of at tack data in the hybrid honeypot is much larger than the normal amount of data,the clustering results are marked as normal behavior and abnormal Behavior category,and use the association rule algorithm to extract the rules of the abnormal category.And according to the format of the intrusion detection rule base,the generated strong rules are converted and added to the intrusion detection rule base.(3)The intrusion detection technology framework based on the hybrid honeypot is implemented on the VMware virtual platform,including the intrusion detection part,the hybrid honeypot part,and the data mining part,and the results of each part are shown.Finally,the performance of the overall architecture is tested,which proves that the architecture can detect unknown attacks.