- PDF 免费下载

UDC Design and Application of Intrusion Detection System Based on Snort 2009 12

Snort Snort Apriori Snort Apriori Microsoft Visual Studio 2008 C# Snort Snort Snort Snort Snort Apriori Snort Snort Apriori

Abstract Abstract Intrusion detection is one of the main research directions in network security. However, most of the practical intrusion detection systems usually identify attacks by matching known attacks database with collected network data. These pattern match-based methods are highly effective in detecting known attacks, but they don't work well in detecting unknown attacks or the variations of some known attacks. This dissertation describes the intrusion detection and data mining related technologies and focuses on analyzing the Snort module structure and work processes, which provides a theoretical foundation for a new Snort NIDS; Secondly, it analyzes Apriori algorithm and proposes its improvements in terms of the algorithm defects and the data-mining-based requirements for Snort intrusion detecting system. Finally a Snort-based log analysis console is independently designed and developed with Microsoft Visual Studio 2008 and C# language, which consists of three functions: rule configuration module, data analysis module, and report module. Among them, rule configuration module is mainly to facilitate the Snort rule set and modify; data analysis module is to pre-process collected network data packets and to add an Apriori-based algorithm anomaly detection module to its own testing modules, thus generating a new set of rules anomaly detection to enhance detection efficiency for the detection of unknown network intrusion; report module is mainly to organize and put out the invasion information and facilitate the its browse and summary view. The platform is also under an experimental environment simulation testing, the final results show that the system has improved the original Snort detection efficiency. The system is now being applied to ChengYi college of Jimei University with visible outcome. It has effectively prevented network security accidents with its capacity to detect attacks in a timely manner. Key words: Snort; Apriori; rules detection

... - 1 - - 3 -... - 5 - - 5 - - 6-2.2.1...- 6-2.2.2...- 7-2.2.3...- 8 -... - 8-2.3.1...- 8-2.3.2...- 9 -... - 10-2.4.1 HIDS...- 10-2.4.2 NIDS...- 10-2.4.3...- 11 -... - 12 -... - 13-2.6.1 Snort...- 14-2.6.2 Snort...- 17-2.6.3 Snort...- 24 -... - 26 -... - 26 -... - 27-3.2.1...- 29-3.2.2 Apriori...- 32 -

3.2.3...- 38 -... - 39 -... - 39 -... - 40-4.2.1winpcap...- 40-4.2.2 winpcap...- 41-4.2.3 Snort...- 42 -... - 43-4.3.1 MySQL...- 43-4.3.2 MySQL...- 44-4.3.3 MySQL...- 44 -... - 45-4.4.1...- 47-4.4.2...- 48-4.4.3...- 50 -... - 51-4.5.1...- 51-4.5.2...- 51-4.5.3...- 52 -... - 56 -... - 57 -... - 57 -... - 57 -... - 62 -

Contents Chapter I Introduction... - 1-1.1 The Background, Purpose and Meaning of Reseach... - 1-1.2 The Level of Development and the Status at Home and Abroad... - 2-1.3 The Main Structure of This Article... - 3 - Chapter II Introduction to Intrusion Detection Systems, Technical Analysis and Snort... - 5-2.1 The Concepts of Intrusion Detection... - 5-2.2 The Classification of the Intrusion Detection Technology... - 6-2.2.1 Misuse Intrusion Detection Technology...- 6-2.2.2 Anomaly Intrusion Detection Technology...- 7-2.2.3 Compare the Misuse Detection andanomaly Detection Technology...- 8-2.3 Structure and Function of the Intrusion Detection System... - 8-2.3.1 Structure of the Intrusion Detection System...- 8-2.3.2 The Functions of the Intrusion Detection Systems...- 9-2.4 Classification of the Intrusion Detection System... - 10-2.4.1 Host-based Intrusion Detection System HIDS...- 10-2.4.2 Network-based Intrusion Detection System NIDS...- 10-2.4.3 Hybrid of the Intrusion Detection System...- 11-2.5 Challenges and Facing the Problems of the Intrusion Detection Systems...- 12-2.6 Introduction of the Snort System... - 13-2.6.1 Structure and Function of the Snort Module...- 14-2.6.2 Snort Workflow...- 17-2.6.3 Performance of Snort...- 24 - Chapter III Snort Based on Data Mining Algorithm for Performance Improvement... - 26-3.1 Basic Knowledge of Association Rules... - 26-3.2 Anomaly Detection Module Based on Apriori Algorithm... - 27-3.2.1 Data Pre-processing Module...- 29-3.2.2 Mining Association Rules Based on Apriori Algorithm...- 32 -

Contents 3.2.3 Filtering of Association Rules...- 38 - Chapter IV Improved Snort System in Cheng Yi Institute... - 39-4.1 System Architecture... - 39-4.2 Network Intrusion Detection Layer... - 40-4.2.1 Introduction to the Winpcap...- 40-4.2.2 Analysis of Winpcap Packet Capture Process...- 41-4.2.3 Installation and Configuration of the Snort...- 42-4.3 Database Server Module... - 43-4.3.1 Features of MySQL Database...- 43-4.3.2 Installation and Configuration of the MySQL Database...- 44-4.3.3 MySQL Database Management Program...- 44-4.4 Log Analysis Console... - 45-4.4.1 Rule Configuration Module...- 47-4.4.2 Data Analysis Module...- 48-4.4.3 Report Module...- 50-4.5 The Tested Log Analysis Console... - 51-4.5.1 Test Hardware Environment...- 51-4.5.2 Test Software Environment...- 51-4.5.3 Test Experimental Data...- 52-4.6 System Effectiveness... - 56 - Chapter V Summary and Expectation... - 57-5.1 Summarizes... - 57-5.2 Expectation... - 57 - Acknowledgements... - 62 -

1.1 FINGER FTP File Transportation Protocol TELNET telecommunication net work protocol RPC Remote Procedure Calls DNS Domain Name System ICMP Internet Control Messages Protocol WEB Syn-Flood UDP-Flood Ping-Flood Land-based-Attack, Smurf Attack, Ping Of Death Internet [1] VPN - 1 -

1.2 20 1980 James P. Anderson [2] Computer Security Threat Monitoring and Surveillance 1987 Dorothy Denning [3] An Intrusion Detection Model Dorothy Denning IDES IDES 1990 Heberlein NSM(Network Security Monitor) : 1991 NADIR(Network Anomaly Detection and Intrusion Report) - 2 -

DIDS(Distributed Intrusion Detection System) 1994 Mark Crosbie Gene Spafford IDS (Autonomous Agents) IDS 1995 IDES NIDES (Next -Generation Intrusion Detection System) 1996 GRIDS (Graph-based Intrusion Detection System) 1998 Ross Anderson Abida Khattak Internet 2003 [4] Windows PC [5] 2003 150 87 1.3 Snort Snort, Snort Snort - 3 -

Snort IDS Apriori, Snort Snort - 4 -

Snort 2.1 (Intrusion Detection System IDS) (Intrusion) (Denial of Service) (Intrusion Detection) 1 2-5 -

2.2 2.2.1 2.1 Snort [6] - 6 -

2.2.2 [7] 2.2-7 -

Degree papers are in the Xiamen University Electronic Theses and Dissertations Database. Full texts are available in the following ways: 1. If your library is a CALIS member libraries, please log on http://etd.calis.edu.cn/ and submit requests online, or consult the interlibrary loan department in your library. 2. For users of non-calis member libraries, please mail to etd@xmu.edu.cn for delivery details.