| The Cyber Range is a virtual platform, which simulating the real world environment to provide network security training for personnel. The purpose of the Cyber Range is to improve the network attacking and defensing skills of the training participants. The simulation training in the range will generate attacking and defensing network traffics, and these traffics are detected and recorded by the intrusion detection system. Real-time detection and logging are the two core functions of intrusion detection system. The intrusion behaviors generated by attack and defense training in the range can be captured by the real-time detection function, which acts as a recorder of the training in the Cyber Range. The log data produced by the logging function provides good supports of demonstration and evaluation of the attack and defense training in the range. The Tracking System of the Cyber Range can accurately detect and real-time display of the situation in the Range mainly by using these two core functions of intrusion detection system. So intrusion detection system is an important part of The Tracking System of the Cyber Range. Considering the cost and technical factors, the famous Snort intrusion detection system is selected by the Cyber Range for its open source and free advantages. In the actual application process, Snort showed a lot of defects and problems, but because of the open and flexible features, Snort is very worthy of study and to improve it.The purpose of the study is to improve the application performance of Snort in the range Tracking System. First of all, the general situation of the development of intrusion detection and present situation of the application of Snort is analyzed. Snort inherent shortcomings were analyzed. Secondly, the thesis about Snort system architecture and the main function modules are analyzed in detail. And its detection mechanism is studied and applied to the data mining technology in intrusion detection. This paper designed for Snort an anomaly detection module to filter out a lot of normal network traffic to enhance the detection efficiency. This can solve problems of low detection efficiency of Snort, and the problems of it can’t timely delivery the monitor logs of tracking system to inspection personnel in Cyber Range Offensive and defensive trainings. Because the training members may try new attack skills in the Cyber Range, a new rule generator module is proposed for Snort to make it have the ability of detecting new attacks. Finally, a hybrid model of data mining based on Snort is proposed.Based on the new model proposed above, this paper analysis and improve the K-means clustering algorithm and Apriori algorithm that used in the new module. The improved algorithm is introduced into new function module and added to Snort with the form of plug-in. Through the experiment this paper proves feasibility and effectiveness of improved mixed Snort detection model apply in Cyber Range. |
PDF Full Text Request