Research And Implementation Of Data Selection Model In Intrusion Detection System

With the rapid development of internet, the human society is going forward to information times gradually. As the basic facility for message transfer, the computer controls many fields which are related to people's life. So, people pay more and more attention to internet security. Recently, there were more than 95% network management centers had been attacked by inner or outer hackers in our country, and the banks and other stock organizations suffered mostly in these centers. This problem is bad day after day, and need to be solved quickly.As the important part in computer security field, there are some differences between intrusion detection system and other static protection methods, IDS uses a dynamic and active strategy, so it gets much more attention and application. The IDS is formed by three parts: data selection module, analysis module and alarm module, the data selection module is the foundation of IDS, it gets any information which are related to intrusion, and then sends to analysis module. There are many measures to classify IDS. If classified by different targets, there are two types, IDS based on host and IDS based on network. This paper's main job is to research and improve the data selection module of there two kinds IDS.The data selection module of IDS based on host can be called as audit system, which can record all traces in this host. Many facts show that, the hacker's movements which are happened in inner LAN are very bad and covered. So the audit system is very effective to deal with the attack from local inner and misuse of power. The UNIX system has a log system. It can afford the same service for user as the audit system. The Linux system inherits the log system. But the log system have some defect, at first this log system is implemented by application, the hacker can kill this application and then sheer the surveillance, secondly there are nothing ways to protect the log information, so everyone can access them, hackers can delete these information after they finished the intrusion,. At last, the format of the data is not available for analysis and detection. So it is verynecessary to improve this log system.This paper implements an audit system based on the kernel, this system gets detail process information from Linux kernel as audit data, it can record anything in the computer, the all information are generated from kernel, so the hacker can't disturb or delete the audit data . Because of the upgrade of kernel version, some previous methods which are used to get information from kernel have been not used in now. Here, there is a new way to use IDT for getting data from kernel, and there is an illustration to show this process based on 2.4 version kernel, it is safe and effective, and also can be used for other version kernel.The IDS based on network faces to a serious problem under high speed internet environment, the speed of internet data packet reach in the computer is faster than IDS to deal with them, so many packets lost, this problem make many errors in IDS. The reason for this problem is that the data select module used BPF, this model has been not to suitable to high speed environment. It is also a hotspot in IDS field.This paper makes some research and attempt to use the sample methods solving previous problem, sample method has good application in internet measurement and network QoS field. The main idea is that: using the sample theory to get portion from collective and compute the performance of collective. The goal of integrating the sample theory with IDS is that using the portion to replace the collective as the analysis objective, keeping detective effective and decreasing consumption. In this paper there are using three methods, periodic sample, Poisson sample and stratified sample. Using the packet length distribute curve and packet type proportion as criterion. The experiment result shows that, the Poisson and stratified sample's curve are nearly identical to the collective's, the periodic sample's curve has a little error compare to the collective's. The second criterion, all the three methods have error but it not over 0.1%. If using the sample to compute the collective, the believe rate is 95%. Nowadays, the rate of network development is more quickly than CPU, the problem of packets lost has been not avoidable. The sample theory maybe is a good way to solve this problem.