Research And Improvement Of IDS Snort Based On HMM Model

In recent years, the threat of network security events occurs often than ever before. Traditional network security technology such as anti-virus software and firewall cannot supply the demand for intrusion prevention under the situation. Intrusion detection technique is the main development direction of network security, but single intrusion detection system has the high passive false or negative false. Moreover, unknown types of attacks cannot be well recognized. This issue aims at the deficiency of current intrusion detection technology, and provides a mix IDS on the basis of Snort which is improved by HMM.At first, Snort's system structure and function are analyzed in detail, and puts forward by some method to improve system performance. Based on constructing the system uses the plug-in mode which is facilitated expansion, we improve preprocessing module and rules list respectively, the purpose of which is to improving system efficiency. For rule sets we adopted a new optimization algorithm based on the rule's active degree, It can reduce the time needed for matching rules.Secondly, based on decrypting the stochastic process and hidden markov model theory, we produce a learning module and an inspection module based on hidden markov model. By using the two plug-in form modules as preprocessor facilities, we will compare Snort decoding data with normal data training by learning modules. The "normal" packet will be filtered, and "freak" packets will sent to detection engine for misused detection. This method can reduce the system detection time, as well as can reduce packet drop caused by large amount of data.Finally, through the simulation experiment it is proved that comparing with the original misused detection technology system, testing time gets significant reduction. Performance is increased in the field of reducing passive false or negative false and of the unknown attack type detection. Latterly, it discusses the deficiencies of the present system still exists, and proposes further improvement ideas.