The following detection methods are often used in abnormal intrusion detection systems:
Based on Bayesian inference detection method : It is to judge whether an intrusion event occurs in the system by inference by measuring the variable value at any given moment. Feature selection-based detection method : refers to selecting a metric that can detect intrusion from a set of metrics, and using it to predict or classify intrusion behavior. Based on Bayesian network detection method : graphically represent the relationship between random variables. Computes the join probability distribution of random variables by specifying a small set of probabilities associated with adjacent nodes. Given all node combinations, the prior probability of all root nodes and the probability of non-root nodes constitute this set. A Bayesian network is a directed graph with arcs representing dependencies between parent and child nodes. When the value of a random variable becomes known, it is allowed to be absorbed as evidence, providing a computational framework for judging the conditional values of other remaining random variables.
Pattern-prediction-based detection : The sequence of events does not occur randomly but follows a discernible pattern. It is an assumption of pattern-prediction-based anomaly detection, characterized by the fact that the sequence of events and their interconnections are taken into account, and only a few correlations are concerned. Security events are the biggest advantage of this detection method.
Anomaly detection method based on statistics : It establishes a feature profile table for each user according to the activity of the user object, and judges the abnormality of the current behavior by comparing the current feature with the previously established features. The user feature profile table should be continuously updated according to the audit records, and its protection should be multi-measured.
Detection method based on machine learning : It is based on the temporary sequence learning of discrete data to obtain the behavior characteristics of networks, systems and individuals, and an instance learning method IBL is proposed. IBL is based on similarity. (such as discrete event streams and unordered records) into a measurable space. Then, applying IBL learning techniques and a novel sequence-based classification method, anomalous types of events are discovered, thereby detecting intrusion behaviors. Among them, the probability of member classification is determined by the selection of the threshold.
Data mining detection method : The purpose of data mining is to extract useful data information from massive data. There will be a large number of audit records in the network, and most of the audit records are stored in the form of files. It is far from enough to find anomalies in records by manual methods. Therefore, applying data mining technology to intrusion detection can extract useful knowledge from audit data, and then use these knowledge areas to detect abnormal intrusions and known intrusions. invasion. The method adopted is the KDD algorithm, which has the advantage of being good at processing a large amount of data and the ability of data correlation analysis, but the real-time performance is poor.
Anomaly detection method based on application mode : This method calculates outliers of network services according to service request type, service request length, and service request packet size distribution. Uncover abnormal behavior by comparing outliers computed in real-time with trained thresholds.
Anomaly detection method based on text classification : This method is to convert the set of process calls generated by the system into "documents". Using the K-neighbor clustering text classification algorithm, the similarity of documents is calculated.
foldMisuse of detection methods
Commonly used detection methods in misuse intrusion detection systems are:
Pattern matching method : is often used in intrusion detection technology. It detects violations of security policies by comparing the collected information with known information in a database of network intrusion and system misuse patterns. The pattern matching method can significantly reduce the system burden and has a higher detection rate and accuracy.
Expert system method : The idea of this method is to express the knowledge of security experts as a rule knowledge base, and then use inference algorithms to detect intrusions. Mainly for the characteristic intrusion behavior.
Detection method based on state transition analysis : The basic idea of this method is to regard the attack as a continuous, step-by-step process with certain correlations between the steps. When an intrusion occurs in the network, the intrusion behavior is blocked in time to prevent similar attacks that may occur in the future. In the state transition analysis method, a penetration process can be regarded as a series of actions made by an attacker to cause the system to change from an initial state to a final compromised state