Information Technology Reference
In-Depth Information
(1,1)
Function
u
˙
f(v)
D
(u
1
,v
(u
2
,v
2
)
D
(0,0)
Fig.7.
The mapping model from a behavior to a point
5.2 Behavior Detection Method
The final goal of a IDS is to alert a intrusion in time. In order to determine whether an
behavior is abnormal or not, we need to define a threshold function
u
=
f(v)
. The
curve of this function landed in the region of (0,0) to (1,1) while
∈
v
. This idea is
illustrated in Figure 4 with a thick solid curve. Ideally, the curve of this function di-
vide whole rectangle into two regions, D
1
and D
2
. Observing from the figure, D
1
lies
at the upper left side of the curve, and D
2
lies at the lower right corner. Point
(
u
1
,
v
1
)fall in the region D
1
, and (
u
2
,
v
2
) fell in the region D
2
.
Let
u
x
denote
u
value of
X
, and
v
x
denote
v
value of
X
, then,
u
x
< f(v
x
)
[
0
(8)
It is to say that point (
u
1
,
v
1
) fall in D
1
. (
u
1
,
v
1
) is not a intrusion. On the contrary, (
u
2
,
v
2
) fall in D
2
. (
u
2
,
v
2
) is abnormal. Thenthe IDS alarms in accordance with its secu-
rity policy.
6 Conclusion
Aiming at the massive audit-data processing problem, which intrusion detection sys-
tem facing at, we established a network behavior model in this paper. Then we calcu-
lated the normal probability and the abnormal probability to map a multi-dimension
behavior vector to a 2-dimension point. According to the position of the 2-dimension
point, IDS could recognize whether a behavior was a intrusion or not. This approach
is easy to be parallel processed, and it will be very helpful to improve the intrusion
detection efficiency in a high-speed distributed network.
Acknowledgements
This work is supported by Natural Science Foundation of Hebei under the Grant
No.F2009000929 and National Natural Science Foundation of China under the
granted No.60863003.
Search WWH ::
Custom Search