Research On Intrusion Detection Based On Protocol Analysis And Immune Principle

With the increasing complexity of network structure and rapid growth of network scale, the illegal invasion has been increasing continuously. The traditional passive defence technology cannot maintain the network security effectively. As a new type of security defence technique, intrusion detection system constructs the active information security defence, makes up for the deficiency of traditional passive defence technology effectively.The protocol analysis method takes good advantage of the regularity of network protocol to detect attack, so the calculation amount can be reduced greatly and the accuracy of detection can be improved. But the protocol analysis method is based on misuse intrusion detection technique, it cannot detect the unkonwn attack. Artificial immune system protects themselves as is very similar with the intrusion detection system. It has adaptability, robust, distribution and so on characteristics which are our present computer security system doesn't have. Therefore, intrusion detection technology based on immune principles is one of the hot research areas in intrusion detection in recent years.Immune principle and protocol analysis are combined in this thesis. An improved intrusion detection modul based on immune principle and protocol analysis is proposed. Collecting data module, protocol analysis module, detection module and response module are designed in detail. An improved negative selection algorithm is presented to remove the matched detector and enhance the capability for unknown invasion detection. The structure of antibodg in the immune algorithm is improved. In addition to the basic characteristics of network data, statistical characteristics of time-based are also considered to better reflect the internal evidence between attack packet. For detector coding, considering the fuzzy bourn of normal behavior and abnormal behavior, a coding scheme based on fuzzy concept is put forward, through this coding scheme, the code length of detector could be reduced.We use the data set supplied by DARPA 1999 Intrusion Detection Evaluation Plan as the network flow samples. The data of 1st week is choosed as the training data, generated a number of mature detectors by training, and the data of 5ve week which includes some DOS and Probing attacks will be detected by this intrusion detection system model. The result of the experiment indicates that this model and method have the well detection rate with low false positive rate.