Intrusion Prevention in Depth System Research Based on Data Mining

Abstract

This article proposes a data mining based intrusion prevention in depth system model to manage the huge amounts of unreliable and uncontrollable security events, which are generated by the extensive utilization of heterogeneous security devices in computer networks. A method of combining online detection and offline data mining is made use of as the core of the model. On the other hand, the work process of the system can be compartmentalized into two phases: online examination through pattern matching and offline training through data mining. By the online real-time data examination, the data are captured through the protocol analyzer at first, and then passed through the processor of regular rule set and parameters based detection engine. After corresponding processing to the data, the system can decide if the data should be stored and forwarded or an alarm management operation should be stimulated. By the offline data mining, the data preprocess module pretreats the data from various kinds of invasion and appraisal, and combines the mined knowledge to data that come from the compound detection engine and the policy making engine. The regular rule set is then updated and optimized through the new knowledge acquired by the offline data mining phase. The phases of online examination and offline data mining are executed alternatively and/or synchronously according to requirements of achieving optimal performance of the system. In our UPNSM, we unify the rule and the policy together to form the policy by the classified rule set and the human-computer interface and distribute policy to examination engines. This method provides our platform a better assistance to carry on various kinds of nimble effective operation. In fact, the model is a united network security management platform used to analyze the network and host data from different layers: the kernel layer, the concentration layer, and the access layer. Through enhancing the capture speed of the network data package, the proposed model can evidently improve the efficiency of traditional IPS for detection network intrusion. This verity can be demonstrated by simulation and experiment results. Thus, the proposed intrusion prevention in depth system model can be used for defense in real-time and defense in depth.