CN114124446A - Intrusion detection system based on Snort engine and adopting logistic regression algorithm - Google Patents
Intrusion detection system based on Snort engine and adopting logistic regression algorithm Download PDFInfo
- Publication number
- CN114124446A CN114124446A CN202111186182.2A CN202111186182A CN114124446A CN 114124446 A CN114124446 A CN 114124446A CN 202111186182 A CN202111186182 A CN 202111186182A CN 114124446 A CN114124446 A CN 114124446A
- Authority
- CN
- China
- Prior art keywords
- module
- rule
- data packet
- abnormal data
- logistic regression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/18—Complex mathematical operations for evaluating statistical data, e.g. average values, frequency distributions, probability functions, regression analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets marked with the feature labels, sends matching judgment results to the alarm module, and sends the abnormal data packets which are not successfully matched and marked with the feature labels to the rule generation module; the alarm module alarms according to the matching judgment result; the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully marked feature tag to generate a new rule, and stores the new rule into the rule base, so that the risk of network intrusion is reduced, and the security of network protection is improved.
Description
Technical Field
The invention relates to the technical field of intelligent monitoring of electric power systems, in particular to an anti-intrusion detection system based on a Snort engine and adopting a logistic regression algorithm.
Background
With the rapid development of the internet, network information technologies have been integrated into various aspects of people's life, and the technologies also bring threat of network attack while improving the quality of people's life. Intrusion detection is a protection technology for ensuring system safety through a safety monitoring mode, and whether abnormal behaviors exist in a system is judged by acquiring relevant information of equipment and a network in the system and analyzing and identifying the data information. Therefore, the intrusion detection technology as an active information security protection technology can effectively make up for the defects of the traditional security protection technologies such as the firewall and the like. Because the gateway is connected with the communication between the internal network and the external network, the intelligent gateway with the network attack intrusion detection function has great significance for guaranteeing the network security. The detection efficiency is mainly that the system can detect all data in the network in time, and the Snort intrusion detection system is extremely unfavorable for the network environment safety because the risk of detecting the network intrusion is not enough.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides an anti-intrusion detection system which adopts a logistic regression algorithm based on a Snort engine, so that the risk of network intrusion is reduced, and the security of network protection is improved.
In order to achieve the purpose, the invention adopts the following technical scheme:
the intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets printed with the feature labels, sends the matching judgment result to the alarm module, stores the abnormal data packets which are not successfully matched and printed with the feature labels to the abnormal database and sends the abnormal data packets to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag to generate a new rule and stores the new rule in a rule base.
Furthermore, the preprocessing module comprises a sniffer, a decoder and a preprocessor, the sniffer acquires the data packets and sends the data packets to the decoder, the decoder decompresses the data packets and sends the data packets to the preprocessor, the preprocessor preprocesses the decompressed data packets, and the preprocessor sends preprocessing results to the detection module.
Further, the pretreatment method specifically includes: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet.
Further, the detection module receives the preprocessing result sent by the preprocessing module, identifies and distinguishes the preprocessing result, obtains a normal data packet and an abnormal data packet through identification and distinguishing, and sends the abnormal data packet with the characteristic label to the rule base for matching judgment.
Further, the detection module adopts a logistic regression algorithm to perform identification and distinguishing processing on the preprocessing result, and the identification and distinguishing processing specifically comprises:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
Further, the rule base receiving and detecting module sends an abnormal data packet with a feature tag, the rule base performs matching judgment on the abnormal data packet with the feature tag, and the matching judgment mode comprises the following steps: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature label is a non-attack intention. And the rule base sends the matching judgment result to the alarm module.
Further, the rule base stores the abnormal data packet which is not matched with the feature label successfully, and the abnormal data packet is sent to the rule generating module.
Further, the alarm module receives a matching judgment result sent by the rule base, and the alarm module alarms according to the matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
Further, the rule generation module receives an abnormal data packet which is sent by the rule base and is not matched with the feature tag successfully, the rule generation module extracts and converts the abnormal data packet which is not matched with the feature tag successfully, and the specific mode of extraction and conversion comprises the following steps: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; the rule generation module carries out format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule; and the rule generation module stores the generated new rule to a rule base.
The invention has the beneficial effects that: the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base sends the matching judgment result to the alarm module, and stores the abnormal data packet which is not successfully matched and is provided with the feature tag into the abnormal database and sends the abnormal data packet to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag, and stores the generated new rule into a rule base. The risk of network intrusion is reduced, and the security of network protection is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of an intrusion detection system based on Snort engine and using a logistic regression algorithm.
Detailed Description
The embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
The embodiments of the present disclosure are described below with specific examples, and other advantages and effects of the present disclosure will be readily apparent to those skilled in the art from the disclosure in the specification. It is to be understood that the described embodiments are merely illustrative of some, and not restrictive, of the embodiments of the disclosure. The disclosure may be embodied or carried out in various other specific embodiments, and various modifications and changes may be made in the details within the description without departing from the spirit of the disclosure. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
The first embodiment is as follows:
the intrusion detection system based on the Snort engine and adopting the logistic regression algorithm comprises a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets printed with the feature labels, sends the matching judgment result to the alarm module, stores the abnormal data packets which are not successfully matched and printed with the feature labels to the abnormal database and sends the abnormal data packets to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packet which is not matched with the successfully printed feature tag to generate a new rule and stores the new rule in a rule base.
The preprocessing module includes sniffer, decoder and preprocessor, and sniffer acquires the data packet and sends to the decoder, and the decoder decompresses the data packet and sends to preprocessor, and preprocessor carries out the preliminary treatment with the data packet of decompressing, and the mode of preliminary treatment includes: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet; the preprocessor sends the preprocessing result to the detection module.
The detection module receives the preprocessing result sent by the preprocessing module, identifies and distinguishes the preprocessing result, obtains a normal data packet and an abnormal data packet through identification and distinguishing, and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the detection module adopts a logistic regression algorithm to carry out identification and distinguishing processing on the preprocessing result, and the identification and distinguishing processing specifically comprises the following steps:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
The rule base receiving detection module sends an abnormal data packet with a characteristic label, the rule base carries out matching judgment on the abnormal data packet with the characteristic label, and the matching judgment mode comprises the following steps: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature label is a non-attack intention. And the rule base sends the matching judgment result to the alarm module, stores the abnormal data packet which is not successfully matched and is provided with the feature tag to the abnormal database and sends the abnormal data packet to the rule generation module.
The alarm module receives the matching judgment result sent by the rule base, and whether the alarm module gives an alarm or not is judged according to the matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
The rule generation module receives the abnormal data packet which is sent by the rule base and is not matched with the feature label, the abnormal data packet which is not matched with the feature label is extracted and converted by the rule generation module, and the extraction and conversion mode comprises the following steps: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; the rule generation module carries out format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule; and the rule generation module stores the generated new rule to a rule base.
The above description is for the purpose of illustrating embodiments of the invention and is not intended to limit the invention, and it will be apparent to those skilled in the art that any modification, equivalent replacement, or improvement made without departing from the spirit and principle of the invention shall fall within the protection scope of the invention.
Claims (7)
1. The intrusion detection system based on the Snort engine and adopting the logistic regression algorithm is characterized by comprising a preprocessing module, a detection module, an alarm module, a rule generation module and a rule base; the preprocessing module preprocesses the data packet and sends a preprocessing result to the detection module; the detection module identifies and distinguishes the preprocessing result and sends the abnormal data packet with the characteristic label to the rule base for matching judgment; the rule base carries out matching judgment on the abnormal data packets marked with the feature labels, sends matching judgment results to the alarm module, and sends the abnormal data packets which are not matched and are marked with the feature labels successfully to the rule generation module; the alarm module alarms according to the matching judgment result; and the rule generation module extracts and converts the abnormal data packets which are not matched with the successfully printed feature labels to generate new rules, and stores the new rules in the rule base.
2. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the rule generation module performs extraction conversion processing on the abnormal data packets which are not matched with the successfully marked feature tags to generate new rules specifically comprises: the rule generation module identifies the feature tags of the abnormal data packets which are not successfully matched and extracts the feature tags of the abnormal data packets which are not successfully matched; and the rule generating module performs format conversion on the extracted feature labels of the abnormal data packets which are not successfully matched to generate a new rule.
3. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the detection module adopting the logistic regression algorithm to identify and distinguish the preprocessing result specifically comprises:
selecting a data set which is not invaded in a network as a data source of normal data, and selecting a rule base file of a Snort system as a data source of abnormal data;
performing data conversion on data of a normal data source and data of an abnormal data source, training the converted data by adopting a logistic regression algorithm, and determining parameter values in a logistic regression formula;
calculating upper and lower thresholds of the logistic regression model, determining value mapping between the upper and lower thresholds, and judging whether the data packet has the risk of network attack or not through function values of all characteristic parameters of the data packet;
and marking a characteristic label on the data packet with the detected network intrusion risk.
4. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the preprocessing module comprises a sniffer, a decoder and a preprocessor, the sniffer acquires the data packets and sends the data packets to the decoder, the decoder decompresses the data packets and sends the data packets to the preprocessor, the preprocessor preprocesses the decompressed data packets, and the preprocessor sends the preprocessing results to the detection module.
5. The Snort engine-based intrusion detection system employing logistic regression algorithm of claim 4, wherein the preprocessing comprises: the preprocessor decodes the decompressed data packet through a preprocessing function, recombines the decoded data packet, and converts the format of the recombined data packet.
6. The Snort engine-based intrusion detection system employing logistic regression algorithm according to claim 1, wherein said match determination comprises: the rule base is matched with a rule linked list of the rule base by identifying the characteristic label of the abnormal data packet; if the matching is successful, the rule base judges that the abnormal data packet marked with the feature tag is an attack intention; and if the matching is unsuccessful, the rule base judges that the abnormal data packet marked with the feature tag is a non-attack intention.
7. The Snort engine-based intrusion detection system adopting a logistic regression algorithm according to claim 1, wherein the alarm module is configured to alarm according to a matching judgment result; if the matching judgment result is the attack intention, the alarm module gives an alarm; and if the matching judgment result is the non-attack intention, the alarm module does not give an alarm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111186182.2A CN114124446A (en) | 2021-10-12 | 2021-10-12 | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111186182.2A CN114124446A (en) | 2021-10-12 | 2021-10-12 | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114124446A true CN114124446A (en) | 2022-03-01 |
Family
ID=80441755
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111186182.2A Pending CN114124446A (en) | 2021-10-12 | 2021-10-12 | Intrusion detection system based on Snort engine and adopting logistic regression algorithm |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114124446A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045247A (en) * | 2009-10-12 | 2011-05-04 | 曙光信息产业(北京)有限公司 | Message processing method and device based on Snort rule set |
CN104811452A (en) * | 2015-04-30 | 2015-07-29 | 北京科技大学 | Data mining based intrusion detection system with self-learning and classified early warning functions |
CN106982230A (en) * | 2017-05-10 | 2017-07-25 | 深信服科技股份有限公司 | A kind of flow rate testing methods and system |
CN108712453A (en) * | 2018-08-30 | 2018-10-26 | 杭州安恒信息技术股份有限公司 | Detection method for injection attack, device and the server of logic-based regression algorithm |
CN110224990A (en) * | 2019-07-17 | 2019-09-10 | 浙江大学 | A kind of intruding detection system based on software definition security architecture |
CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
-
2021
- 2021-10-12 CN CN202111186182.2A patent/CN114124446A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102045247A (en) * | 2009-10-12 | 2011-05-04 | 曙光信息产业(北京)有限公司 | Message processing method and device based on Snort rule set |
CN104811452A (en) * | 2015-04-30 | 2015-07-29 | 北京科技大学 | Data mining based intrusion detection system with self-learning and classified early warning functions |
CN106982230A (en) * | 2017-05-10 | 2017-07-25 | 深信服科技股份有限公司 | A kind of flow rate testing methods and system |
CN108712453A (en) * | 2018-08-30 | 2018-10-26 | 杭州安恒信息技术股份有限公司 | Detection method for injection attack, device and the server of logic-based regression algorithm |
CN110224990A (en) * | 2019-07-17 | 2019-09-10 | 浙江大学 | A kind of intruding detection system based on software definition security architecture |
CN113364750A (en) * | 2021-05-26 | 2021-09-07 | 浙江工业大学 | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method |
Non-Patent Citations (1)
Title |
---|
吕秀华 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109600363B (en) | Internet of things terminal network portrait and abnormal network access behavior detection method | |
CN111669375B (en) | Online safety situation assessment method and system for power industrial control terminal | |
CN107241358B (en) | Smart home intrusion detection method based on deep learning | |
US20120090027A1 (en) | Apparatus and method for detecting abnormal host based on session monitoring | |
CN112953971B (en) | Network security flow intrusion detection method and system | |
CN109143848A (en) | Industrial control system intrusion detection method based on FCM-GASVM | |
CN101778112A (en) | Network attack detection method | |
CN111709034A (en) | Machine learning-based industrial control environment intelligent safety detection system and method | |
CN113704328B (en) | User behavior big data mining method and system based on artificial intelligence | |
CN106411644A (en) | Network sharing device detection method and system based on DPI technology | |
CN113315771A (en) | Safety event warning device and method based on industrial control system | |
CN114079579A (en) | Malicious encrypted flow detection method and device | |
CN112333023A (en) | Intrusion detection system based on flow of Internet of things and detection method thereof | |
CN111757327A (en) | Method and device for identifying counterfeit DHCP server or gateway in wireless network | |
CN112367315B (en) | Endogenous safe WAF honeypot deployment method | |
CN114124446A (en) | Intrusion detection system based on Snort engine and adopting logistic regression algorithm | |
CN104917757A (en) | Event-triggered MTD protection system and method | |
CN110636077A (en) | Network security protection system and method based on unified platform | |
CN111371750A (en) | Intrusion prevention system and intrusion prevention method based on computer network | |
CN111126167A (en) | Method and system for quickly identifying series activities of multiple specific persons | |
CN114726607B (en) | Network security monitoring system based on switch monitoring network data | |
CN113660210B (en) | Training method, detection method and terminal for malicious TLS encrypted traffic detection model | |
CN113542222B (en) | Zero-day multi-step threat identification method based on dual-domain VAE | |
CN115242441A (en) | Network intrusion detection method based on feature selection and deep neural network | |
CN114285596A (en) | Transformer substation terminal account abnormity detection method based on machine learning |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |