CN114124446A - Intrusion detection system based on Snort engine and adopting logistic regression algorithm - Google Patents

Intrusion detection system based on Snort engine and adopting logistic regression algorithm Download PDF

Info

Publication number
CN114124446A
CN114124446A CN202111186182.2A CN202111186182A CN114124446A CN 114124446 A CN114124446 A CN 114124446A CN 202111186182 A CN202111186182 A CN 202111186182A CN 114124446 A CN114124446 A CN 114124446A
Authority
CN
China
Prior art keywords
module
rule
data packet
abnormal data
logistic regression
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111186182.2A
Other languages
Chinese (zh)
Inventor
桂海涛
吴凡
廖秋香
杨鑫
秦丽文
骆育腾
程向辉
吴江雄
侯和明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guilin Power Supply Bureau of Guangxi Power Grid Co Ltd
Original Assignee
Guilin Power Supply Bureau of Guangxi Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guilin Power Supply Bureau of Guangxi Power Grid Co Ltd filed Critical Guilin Power Supply Bureau of Guangxi Power Grid Co Ltd
Priority to CN202111186182.2A priority Critical patent/CN114124446A/en
Publication of CN114124446A publication Critical patent/CN114124446A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • G06F17/10Complex mathematical operations
    • G06F17/18Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets marked with the feature labels, sends matching judgment results to the alarm module, and sends the abnormal data packets which are not successfully matched and marked with the feature labels to the rule generation module; the alarm module alarms according to the matching judgment result; the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully marked feature tag to generate a new rule, and stores the new rule into the rule base, so that the risk of network intrusion is reduced, and the security of network protection is improved.

Description

Intrusion detection system based on Snort engine and adopting logistic regression algorithm
Technical Field
The invention relates to the technical field of intelligent monitoring of electric power systems, in particular to an anti-intrusion detection system based on a Snort engine and adopting a logistic regression algorithm.
Background
With the rapid development of the internet, network information technologies have been integrated into various aspects of people's life, and the technologies also bring threat of network attack while improving the quality of people's life. Intrusion detection is a protection technology for ensuring system safety through a safety monitoring mode, and whether abnormal behaviors exist in a system is judged by acquiring relevant information of equipment and a network in the system and analyzing and identifying the data information. Therefore, the intrusion detection technology as an active information security protection technology can effectively make up for the defects of the traditional security protection technologies such as the firewall and the like. Because the gateway is connected with the communication between the internal network and the external network, the intelligent gateway with the network attack intrusion detection function has great significance for guaranteeing the network security. The detection efficiency is mainly that the system can detect all data in the network in time, and the Snort intrusion detection system is extremely unfavorable for the network environment safety because the risk of detecting the network intrusion is not enough.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an anti-intrusion detection system which adopts a logistic regression algorithm based on a Snort engine, so that the risk of network intrusion is reduced, and the security of network protection is improved.
In order to achieve the purpose, the invention adopts the following technical scheme:
the intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets printed with the feature labels, sends the matching judgment result to the alarm module, stores the abnormal data packets which are not successfully matched and printed with the feature labels to the abnormal database and sends the abnormal data packets to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag to generate a new rule and stores the new rule in a rule base.
Furthermore, the preprocessing module comprises a sniffer, a decoder and a preprocessor, the sniffer acquires the data packets and sends the data packets to the decoder, the decoder decompresses the data packets and sends the data packets to the preprocessor, the preprocessor preprocesses the decompressed data packets, and the preprocessor sends preprocessing results to the detection module.
Further, the pretreatment method specifically includes: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet.
Further, the detection module receives the preprocessing result sent by the preprocessing module, identifies and distinguishes the preprocessing result, obtains a normal data packet and an abnormal data packet through identification and distinguishing, and sends the abnormal data packet with the characteristic label to the rule base for matching judgment.
Further, the detection module adopts a logistic regression algorithm to perform identification and distinguishing processing on the preprocessing result, and the identification and distinguishing processing specifically comprises:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
Further, the rule base receiving and detecting module sends an abnormal data packet with a feature tag, the rule base performs matching judgment on the abnormal data packet with the feature tag, and the matching judgment mode comprises the following steps: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature label is a non-attack intention. And the rule base sends the matching judgment result to the alarm module.
Further, the rule base stores the abnormal data packet which is not matched with the feature label successfully, and the abnormal data packet is sent to the rule generating module.
Further, the alarm module receives a matching judgment result sent by the rule base, and the alarm module alarms according to the matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
Further, the rule generation module receives an abnormal data packet which is sent by the rule base and is not matched with the feature tag successfully, the rule generation module extracts and converts the abnormal data packet which is not matched with the feature tag successfully, and the specific mode of extraction and conversion comprises the following steps: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; the rule generation module carries out format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule; and the rule generation module stores the generated new rule to a rule base.
The invention has the beneficial effects that: the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base sends the matching judgment result to the alarm module, and stores the abnormal data packet which is not successfully matched and is provided with the feature tag into the abnormal database and sends the abnormal data packet to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag, and stores the generated new rule into a rule base. The risk of network intrusion is reduced, and the security of network protection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of an intrusion detection system based on Snort engine and using a logistic regression algorithm.
Detailed Description
The embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The first embodiment is as follows:
the intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets printed with the feature labels, sends the matching judgment result to the alarm module, stores the abnormal data packets which are not successfully matched and printed with the feature labels to the abnormal database and sends the abnormal data packets to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag to generate a new rule and stores the new rule in a rule base.
The preprocessing module includes sniffer, decoder and preprocessor, and sniffer acquires the data packet and sends to the decoder, and the decoder decompresses the data packet and sends to preprocessor, and preprocessor carries out the preliminary treatment with the data packet of decompressing, and the mode of preliminary treatment includes: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet; the preprocessor sends the preprocessing result to the detection module.
The detection module receives the preprocessing result sent by the preprocessing module, identifies and distinguishes the preprocessing result, obtains a normal data packet and an abnormal data packet through identification and distinguishing, and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the detection module adopts a logistic regression algorithm to carry out identification and distinguishing processing on the preprocessing result, and the identification and distinguishing processing specifically comprises the following steps:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
The rule base receiving detection module sends an abnormal data packet with a characteristic label, the rule base carries out matching judgment on the abnormal data packet with the characteristic label, and the matching judgment mode comprises the following steps: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature label is a non-attack intention. And the rule base sends the matching judgment result to the alarm module, stores the abnormal data packet which is not successfully matched and is provided with the feature tag to the abnormal database and sends the abnormal data packet to the rule generation module.
The alarm module receives the matching judgment result sent by the rule base, and whether the alarm module gives an alarm or not is judged according to the matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
The rule generation module receives the abnormal data packet which is sent by the rule base and is not matched with the feature label, the abnormal data packet which is not matched with the feature label is extracted and converted by the rule generation module, and the extraction and conversion mode comprises the following steps: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; the rule generation module carries out format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule; and the rule generation module stores the generated new rule to a rule base.
The above description is for the purpose of illustrating embodiments of the invention and is not intended to limit the invention, and it will be apparent to those skilled in the art that any modification, equivalent replacement, or improvement made without departing from the spirit and principle of the invention shall fall within the protection scope of the invention.

Claims (7)

1. The intrusion detection system based on the Snort engine and adopting the logistic regression algorithm is characterized by comprising a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets marked with the feature labels, sends matching judgment results to the alarm module, and sends the abnormal data packets which are not matched and are marked with the feature labels successfully to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packets which are not matched with the successfully printed feature labels to generate new rules, and stores the new rules in the rule base.
2. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the rule generation module performs extraction conversion processing on the abnormal data packets which are not matched with the successfully marked feature tags to generate new rules specifically comprises: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; and the rule generating module performs format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule.
3. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the detection module adopting the logistic regression algorithm to identify and distinguish the preprocessing result specifically comprises:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
4. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the preprocessing module comprises a sniffer, a decoder and a preprocessor, the sniffer acquires the data packets and sends the data packets to the decoder, the decoder decompresses the data packets and sends the data packets to the preprocessor, the preprocessor preprocesses the decompressed data packets, and the preprocessor sends the preprocessing results to the detection module.
5. The Snort engine-based intrusion detection system employing logistic regression algorithm of claim 4, wherein the preprocessing comprises: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet.
6. The Snort engine-based intrusion detection system employing logistic regression algorithm according to claim 1, wherein said match determination comprises: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; and if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature tag is a non-attack intention.
7. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the alarm module is configured to alarm according to a matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
CN202111186182.2A 2021-10-12 2021-10-12 Intrusion detection system based on Snort engine and adopting logistic regression algorithm Pending CN114124446A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111186182.2A CN114124446A (en) 2021-10-12 2021-10-12 Intrusion detection system based on Snort engine and adopting logistic regression algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111186182.2A CN114124446A (en) 2021-10-12 2021-10-12 Intrusion detection system based on Snort engine and adopting logistic regression algorithm

Publications (1)

Publication Number Publication Date
CN114124446A true CN114124446A (en) 2022-03-01

Family

ID=80441755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111186182.2A Pending CN114124446A (en) 2021-10-12 2021-10-12 Intrusion detection system based on Snort engine and adopting logistic regression algorithm

Country Status (1)

Country Link
CN (1) CN114124446A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045247A (en) * 2009-10-12 2011-05-04 曙光信息产业(北京)有限公司 Message processing method and device based on Snort rule set
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions
CN106982230A (en) * 2017-05-10 2017-07-25 深信服科技股份有限公司 A kind of flow rate testing methods and system
CN108712453A (en) * 2018-08-30 2018-10-26 杭州安恒信息技术股份有限公司 Detection method for injection attack, device and the server of logic-based regression algorithm
CN110224990A (en) * 2019-07-17 2019-09-10 浙江大学 A kind of intruding detection system based on software definition security architecture
CN113364750A (en) * 2021-05-26 2021-09-07 浙江工业大学 Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045247A (en) * 2009-10-12 2011-05-04 曙光信息产业(北京)有限公司 Message processing method and device based on Snort rule set
CN104811452A (en) * 2015-04-30 2015-07-29 北京科技大学 Data mining based intrusion detection system with self-learning and classified early warning functions
CN106982230A (en) * 2017-05-10 2017-07-25 深信服科技股份有限公司 A kind of flow rate testing methods and system
CN108712453A (en) * 2018-08-30 2018-10-26 杭州安恒信息技术股份有限公司 Detection method for injection attack, device and the server of logic-based regression algorithm
CN110224990A (en) * 2019-07-17 2019-09-10 浙江大学 A kind of intruding detection system based on software definition security architecture
CN113364750A (en) * 2021-05-26 2021-09-07 浙江工业大学 Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吕秀华 *

Similar Documents

Publication Publication Date Title
CN109600363B (en) Internet of things terminal network portrait and abnormal network access behavior detection method
CN111669375B (en) Online safety situation assessment method and system for power industrial control terminal
CN107241358B (en) Smart home intrusion detection method based on deep learning
US20120090027A1 (en) Apparatus and method for detecting abnormal host based on session monitoring
CN112953971B (en) Network security flow intrusion detection method and system
CN109143848A (en) Industrial control system intrusion detection method based on FCM-GASVM
CN101778112A (en) Network attack detection method
CN111709034A (en) Machine learning-based industrial control environment intelligent safety detection system and method
CN113704328B (en) User behavior big data mining method and system based on artificial intelligence
CN106411644A (en) Network sharing device detection method and system based on DPI technology
CN113315771A (en) Safety event warning device and method based on industrial control system
CN114079579A (en) Malicious encrypted flow detection method and device
CN112333023A (en) Intrusion detection system based on flow of Internet of things and detection method thereof
CN111757327A (en) Method and device for identifying counterfeit DHCP server or gateway in wireless network
CN112367315B (en) Endogenous safe WAF honeypot deployment method
CN114124446A (en) Intrusion detection system based on Snort engine and adopting logistic regression algorithm
CN104917757A (en) Event-triggered MTD protection system and method
CN110636077A (en) Network security protection system and method based on unified platform
CN111371750A (en) Intrusion prevention system and intrusion prevention method based on computer network
CN111126167A (en) Method and system for quickly identifying series activities of multiple specific persons
CN114726607B (en) Network security monitoring system based on switch monitoring network data
CN113660210B (en) Training method, detection method and terminal for malicious TLS encrypted traffic detection model
CN113542222B (en) Zero-day multi-step threat identification method based on dual-domain VAE
CN115242441A (en) Network intrusion detection method based on feature selection and deep neural network
CN114285596A (en) Transformer substation terminal account abnormity detection method based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination