Information Technology Reference
In-Depth Information
Function u ˙ f(v)
(u 1 ,v
(u 2 ,v 2 )
Fig.7. The mapping model from a behavior to a point
5.2 Behavior Detection Method
The final goal of a IDS is to alert a intrusion in time. In order to determine whether an
behavior is abnormal or not, we need to define a threshold function u = f(v) . The
curve of this function landed in the region of (0,0) to (1,1) while
v . This idea is
illustrated in Figure 4 with a thick solid curve. Ideally, the curve of this function di-
vide whole rectangle into two regions, D 1 and D 2 . Observing from the figure, D 1 lies
at the upper left side of the curve, and D 2 lies at the lower right corner. Point
( u 1 , v 1 )fall in the region D 1 , and ( u 2 , v 2 ) fell in the region D 2 .
Let u x denote u value of X , and v x denote v value of X , then,
u x < f(v x )
It is to say that point ( u 1 , v 1 ) fall in D 1 . ( u 1 , v 1 ) is not a intrusion. On the contrary, ( u 2 ,
v 2 ) fall in D 2 . ( u 2 , v 2 ) is abnormal. Thenthe IDS alarms in accordance with its secu-
rity policy.
6 Conclusion
Aiming at the massive audit-data processing problem, which intrusion detection sys-
tem facing at, we established a network behavior model in this paper. Then we calcu-
lated the normal probability and the abnormal probability to map a multi-dimension
behavior vector to a 2-dimension point. According to the position of the 2-dimension
point, IDS could recognize whether a behavior was a intrusion or not. This approach
is easy to be parallel processed, and it will be very helpful to improve the intrusion
detection efficiency in a high-speed distributed network.
This work is supported by Natural Science Foundation of Hebei under the Grant
No.F2009000929 and National Natural Science Foundation of China under the
granted No.60863003.
Search WWH ::

Custom Search