Information Technology Reference

In-Depth Information

(1,1)

Function
u
˙
f(v)

D

(u
1
,v

(u
2
,v
2
)

D

(0,0)

Fig.7.
The mapping model from a behavior to a point

5.2 Behavior Detection Method

The final goal of a IDS is to alert a intrusion in time. In order to determine whether an

behavior is abnormal or not, we need to define a threshold function
u
=
f(v)
. The

curve of this function landed in the region of (0,0) to (1,1) while

∈
v
. This idea is

illustrated in Figure 4 with a thick solid curve. Ideally, the curve of this function di-

vide whole rectangle into two regions, D
1
and D
2
. Observing from the figure, D
1
lies

at the upper left side of the curve, and D
2
lies at the lower right corner. Point

(
u
1
,
v
1
)fall in the region D
1
, and (
u
2
,
v
2
) fell in the region D
2
.

Let
u
x
denote
u
value of
X
, and
v
x
denote
v
value of
X
, then,

u
x
< f(v
x
)

[

0

(8)

It is to say that point (
u
1
,
v
1
) fall in D
1
. (
u
1
,
v
1
) is not a intrusion. On the contrary, (
u
2
,

v
2
) fall in D
2
. (
u
2
,
v
2
) is abnormal. Thenthe IDS alarms in accordance with its secu-

rity policy.

6 Conclusion

Aiming at the massive audit-data processing problem, which intrusion detection sys-

tem facing at, we established a network behavior model in this paper. Then we calcu-

lated the normal probability and the abnormal probability to map a multi-dimension

behavior vector to a 2-dimension point. According to the position of the 2-dimension

point, IDS could recognize whether a behavior was a intrusion or not. This approach

is easy to be parallel processed, and it will be very helpful to improve the intrusion

detection efficiency in a high-speed distributed network.

Acknowledgements

This work is supported by Natural Science Foundation of Hebei under the Grant

No.F2009000929 and National Natural Science Foundation of China under the

granted No.60863003.

Search WWH ::

Custom Search