KR100738550B1 - Network intrusion detection system using genetic algorithm and method thereof - Google Patents

Abstract

A network intrusion detecting system using a genetic algorithm and its method are provided to extract packet information to which greater importance is given among information of TCP/IP packets, and improve a detection speed and a detection rate by checking a received packet by using only important packet information. A packet feature selecting module(11) selects at least one reference field for determining whether a network has been invaded or not by applying a genetic algorithm using an evaluation function to which importance of each packet field is reflected. A packet gathering module(12) gathers packets existing in a network. A packet pre-processing module(13) extracts information of a reference field selected by the packet feature selecting module(11) among the gathered packets. An intrusion detection engine module(14) determines whether the network has been invaded or not by using information of the extracted reference field.

Description

Network Intrusion Detection System using Genetic Algorithm and Method Thereof}

1 is a block diagram showing an evolution process according to a genetic algorithm for network packet feature selection.

Figure 2 is a block diagram showing the structure of a network intrusion detection system according to an embodiment of the present invention.

3 is a flowchart illustrating a network intrusion detection method according to another embodiment of the present invention.

4 is a flowchart illustrating a packet feature selection method according to another embodiment of the present invention.

5 is a flowchart illustrating a network intrusion detection method according to another embodiment of the present invention.

<Description of the symbols for the main parts of the drawings>

10: network intrusion detection system 11: packet feature selection module

12: packet collection module 13: packet preprocessing module

14: intrusion detection engine module 20: display device

The present invention relates to a network intrusion detection system and method using the genetic algorithm.

In the field of pattern recognition, the present invention relates to a feature selection technique for selecting an input value having a characteristic that is more suitable for solving a problem among given input values. This feature selection technique can be applied to the field of extracting packet information necessary for intrusion determination in the field of network intrusion detection. In particular, the present invention relates to a method of applying a genetic algorithm to a feature selection technique.

The genetic algorithm was introduced by John Holland of the University of Michigan and is known as an optimization solution search algorithm based on survival of the fittest and the biological characteristics of heredity.

Genetic algorithms repeat the evolutionary process shown in Figure 1, select, crossover, and sometimes mutate only those genes that adapt well to a given environment, reproducing superior genetic traits for the next generation. )do. Thus, it is based on the theory that as evolution evolves, only those genes that are more suitable for a given environment will remain.

A conventional technique of feature extraction through a general genetic algorithm is an example of extracting an optimal handwriting recognition characteristic by applying a potential handwriting characteristic that can be used for number recognition to a genetic algorithm method in order to recognize a handwritten number. An example of an attempt was made to use genetic algorithms to find the best management indicators related to a company's financial structure.

The Snort method is a feature selection method that has been applied in the network intrusion detection field. Snort system is a representative public intrusion detection system and does not go through a separate preprocessing process for field selection. However, the packet reassembly using a specific header field or a part of payload is compared according to the attack characteristics. In addition, a ranking based method is used to find fields that are optimized and reflected in intrusion detection characteristics. This ranking-based scheme derives 1 to n competition results for all feature fields and selects the top ranked fields as the primary feature reflecting field.

The conventional packet feature selection method has the following problems. First, the existing network intrusion detection system does not attach importance to each meaning of network fields used for collecting information for the basis of intrusion judgment. That is, when selecting the fields that are criteria for determining network intrusion, weights are not given according to the importance between the fields. Second, when using the network intrusion detection method based on the learning algorithm, it is difficult to find a clear extraction basis for the selected fields. Finally, when extracting the information inside the packet, it is difficult to apply universally because the extracted information itself depends on the experimental method that attempted detection.

Accordingly, the present invention is to solve the problems according to the prior art, a genetic algorithm for assigning importance to each field in order to extract the optimal packet information, and selecting the characteristics of the packet using the evaluation function considering the importance It is an object of the present invention to provide a network intrusion detection system and method thereof.

The network intrusion detection method according to an aspect of the present invention comprises the steps of: generating at least one sample packet, calculating an intrusion suitability value by substituting a field value of the sample packet into a variable of the evaluation function, wherein the intrusion suitability value is When the sample packet is greater than a predetermined reference value, and the step of remaining the sample packet, and determining the network intrusion by measuring the similarity between the packet collected from the network and the remaining sample packet.

In this case, the evaluation function reflecting the importance of each field of the sample packet is characterized in that the field of the packet reflects an anomaly score used for an abnormal behavior attack and a communication score which is field characteristic information. .

에 대입하여 침입 적합도 값을 계산된다. 여기서

는 패킷의

번째 필드가 비정상적인 공격에 사용된 횟수,

는 샘플 패킷의

번째 필드의 값,

,

,

는 각각 정적(Static), 종속(Dependent), 동적(Dynamic) 속성을 가지는 필드의 개수,

,

,

는 각각 정적, 종속, 동적 속성을 가지는 필드의 반영 계수,

는 소정의 바이어스 값이다. 또한, 상기

,

,

는 1:2:3의 비율을 갖게 된다.Also, the intrusion suitability value of the sample packet may be equal to the sample packet field information.

Intrusion fit values are calculated by substituting for. here

Of the packet

The number of times the first field was used in an unusual attack,

Of the sample packet

The value of the first field,

,

,

Is the number of fields each having static, dependent, and dynamic properties,

,

,

Is a reflection coefficient of a field with static, dependent, and dynamic properties,

Is a predetermined bias value. Also, the

,

,

Has a ratio of 1: 2: 3.

The network intrusion detection method according to another aspect of the present invention comprises the steps of selecting at least one field for determining whether the network intrusion by using a genetic algorithm using an evaluation function reflecting the importance of each field of the packet and among the packets collected from the network And extracting information of the selected field to determine whether a network is invaded.

Selecting a field for determining network intrusion using the genetic algorithm may include generating at least one sample packet and calculating the intrusion suitability value by substituting the sample packet field value into a variable of the evaluation function. And remaining only the sample packets having the intrusion suitability value equal to or greater than a predetermined reference value, and selecting a field for determining network intrusion using the remaining sample packet fields.

Network intrusion detection system according to another aspect of the present invention is a packet feature selection module for selecting at least one field for determining whether the network intrusion using a genetic algorithm using an evaluation function reflecting the importance of each field of the packet, on the network A packet collection module for collecting packets present in the packet, a packet preprocessing module for extracting field information selected by the packet feature selection module among the collected packets, and an intrusion detection for determining network intrusion using the extracted field information It includes an engine module.

In this case, the packet feature selection module may include a sample packet generator for generating at least one sample packet, an evaluation function calculator for assigning a bit value of the generated sample packet field to a variable of the evaluation function and calculating an intrusion suitability value; And a sample packet selection unit for selecting a sample packet having the calculated intrusion suitability value equal to or greater than a predetermined reference value, and a feature field selection unit for selecting a field for determining network intrusion using the selected sample packet field. .

Hereinafter, a network intrusion detection system using the genetic algorithm according to the present invention and a method thereof will be described in detail with reference to the accompanying drawings.

1 is a block diagram illustrating an evolution process according to a genetic algorithm for network packet feature selection.

In FIG. 1, a packet feature selection control apparatus for applying at least one packet and the packet to a genetic algorithm may be described.

In this case, a set of packets may be represented by one gene pool. In FIG. 1, there are four packets in the gene pool. It can be seen that the first to fourth packets have values of 01000, 10110, 11010, and 01011, respectively. In this case, the values of the packet can be compared to the genetic factor.

The packet feature selection control device evaluates each packet of the gene pool using a kind of evaluation function. Each packet calculates an evaluation function using the field values of the packet. If the value resulting from the calculation is larger than the bias value preset by the network administrator, the packet is selected. On the contrary, if the calculated value is smaller than the bias value, the packet is culled. By repeating these lessons, the remaining packets can be examined to identify the fields of packets that are closely related to the characteristics desired by the network administrator.

Of course, not only this selection method but also a hybrid method for substituting some of the information of the selected packet and a mutation mutation method in which some of the information of the selected packet is changed may be applied.

As described above, the first step in applying TCP / IP packet information to the genetic algorithm is to consider each of the header fields of the TCP / IP packet as a binary gene string. That is, the information in the TCP / IP header is converted into a form of 1 or 0, and the modified binary values refer to a trait of the genetic individual. In this case, a value of 1 means that a specific trait is present, and a value of 0 means that the specific trait is not present.

In the present invention, in order to consider the TCP header 11 fields and the IP header 13 fields, one gene entity is composed of a binary string of 24 bits in total. Of course, in the present invention, a 24-bit gene entity is assumed to select a feature of the TCP / IP packet, but a binary string having a different number of bits may be considered depending on the type of the header such as the RTP header and the UDP header.

Each entity is initialized to a random value at the beginning of the initial genetic algorithm, and the network administrator must determine the appropriate total number of individuals. In the present invention, the total population is assumed to be 100. In this case, if the number of individuals is too small, the genetic evolutionary process may not take place so that all individuals can converge in the direction of having the same genetic trait. If too large, the gene string calculation takes too much time and the efficiency of the whole genetic process is reduced. Becomes bad.

2 is a block diagram showing the structure of a network intrusion detection system according to an embodiment of the present invention.

As shown in FIG. 2, the network intrusion detection system 10 may include a packet collection module 12, a packet preprocessing module 13, a packet feature selection module 11, an intrusion detection engine module 14, and the like. .

The packet gathering module 12 is a device that collects a packet that satisfies a predetermined condition among packets traveling on a network. In case of transmitting / receiving to a specific IP address under the predetermined condition, transmitting to a specific IP class, transmitting to a specific port, and the like.

The packet feature selecting module 11 is a component that applies a genetic algorithm and its evaluation function to extract only field information related to the intrusion process and informs the packet preprocessing module 13 of the field information. The packet feature selection module 11 is a component that implements the core technical idea of the present invention.

The packet feature selection module 11 may include a sample packet generator 15, an evaluation function calculator 16, a sample packet selector 17, a feature field selector 18, and the like.

The sample packet generator 15 is a component that generates at least one sample packet for applying a genetic algorithm. The evaluation function calculator 16 calculates the intrusion suitability value by assigning the bit value of the generated sample packet field to the variable of the evaluation function. The evaluation function calculated by the evaluation function calculation unit 16 will be described later in detail.

The sample packet selection unit 17 is responsible for selecting a sample packet having the intrusion suitability value calculated as described above or greater than a predetermined reference value. The feature field selector 17 then passes the field having a value of 1 of the selected sample packet field to the packet preprocessing module 13. This is because, as described above, a value of 1 means that a particular trait is present, and a value of 0 means that a particular trait is not present.

The packet pre-processing module 13 is a component that extracts, replaces, and changes only necessary fields before analyzing the collected packets. In this case, the packet field information related to the intrusion process may be received from the feature field selector 18 of the packet feature selection module 11, and only the information corresponding to the field may be extracted from the packets received by the packet collection module 12. . The extracted information is transferred to an intrusion detection engine module 14.

The intrusion detection engine module 14 compares the field information transmitted from the packet preprocessing module 13 with previously stored intrusion patterns to determine whether a packet collected from the network is a packet for network intrusion.

Hereinafter, a method of extracting only important field information by the packet feature selection module 11 using an evaluation function will be described in detail.

는 목적 함수

와 이 목적 함수를 실제 유전자 프로세스에 적합한 것으로 변환하여 주는 보정 함수

를 포함하여 다음 수식에 의하여 표현될 수 있다.First, an evaluation function for evaluating the suitability of each genetic individual will be described. Evaluation function

Is the objective function

And a correction function that converts this objective function to one suitable for the actual genetic process

It can be represented by the following formula including.

……… (1)

… … … (One)

의 값을 보정 함수

에 적용함으로써 유도된 최종 평가 함수 F(x)에 의하여 패킷의 상대적 적합도 값을 체크할 수 있다. 본 발명에서는 보다 중요한 필드를 선택하기 위하여 상기 목적 함수

에 TCP/IP 필드 특성을 반영한다.Packet feature selection module objective function

Correction function

The relative evaluation value of the packet can be checked by the final evaluation function F (x) derived by applying to. In the present invention, the objective function is used to select more important fields.

Reflect TCP / IP field characteristics.

Table 1 shows the Anomaly Score, which indicates how many fields of a TCP / IP packet were used for an existing abnormal attack, and the Communication Score, which reflects the characteristics of each field used during normal communication. It is composed.

Index Number Name of Coefficients Anomaly Score Communication Score 01 a01 (Version) 0 S 02 a02 (Header Length) 0 De 03 a03 (Type of Service) 0 S 04 a04 (Total Length) 0 De 05 a05 (Identification) 2 Dy 06 a06 (Flags) 5 Dy 07 a07 (Fragment Offset) 5 Dy 08 a08 (Time to Live) One Dy 09 a09 (Protocol) One S 10 a10 (Header Checksum) 0 De 11 a11 (Source Address) 2 S 12 a12 (Destination Address) One S 13 a13 (Options) One S 14 a14 (Source Port) One S 15 a15 (Destination Port) One S 16 a16 (Sequence Number) 2 Dy 17 a17 (Acknowledge Number) 2 Dy 18 a18 (Offset) One Dy 19 a19 (Reserved) One S 20 a20 (Flags) 2 Dy 21 a21 (Window) 0 S 22 a22 (Checksum) 0 De 23 a23 (Urgent Pointer) One S 24 a24 (Options) One S

In the case of an abnormal score, the number of times used for an abnormal attack is checked for each packet field, and the importance is measured in proportion thereto. The importance measured in this way is of course reflected in the evaluation function.

Similarly, in the case of communication scores, the characteristics of fields generally used in packet transmission and reception are divided into three categories, static, dynamic, and dependent, so that each importance is reflected in the genetic algorithm evaluation function. do.

In order to reflect the abnormal score or the communication score in the genetic algorithm evaluation function, each score is used as a coefficient of the polynomial for calculating the evaluation function. The evaluation function may be classified into an abnormal score function for reflecting an abnormal score and a communication score function for reflecting a communication score. The two functions are each expressed as a polynomial, and the result of calculating the polynomial is used as a measure for determining the fitness of the genetic individual. Since the calculation result is different by the polynomial coefficient, the abnormal score and the communication score are reflected in the evaluation function.

는 이상 스코어 함수인

와 통신 스코어 함수인

를 이용하여 다음 수식과 같이 표현될 수 있다.Objective function

Is an ideal score function

Communication score function

It can be expressed as the following equation using.

…… (2)

… … (2)

는 모든 개체의 집합, 그리고

는 모든 개체 집합의 개수이다. 여기서

는 하나의 개체를 의미하며 본 발명에서 한 개체는 24개의 속성을 가진다.

Is a set of all objects, and

Is the number of all object sets. here

Means one entity and in the present invention one entity has 24 properties.

를 추가하여 다음과 같이 새로운 목적 함수

를 고려하기로 한다.Here, the object selection according to the evaluation function of Equation (2) can sometimes select too many objects. Therefore, the bias variable that can control the number of object selection in the objective function for object selection of genetic algorithm

Add a new objective function as follows:

Let's consider.

…… (3)

… … (3)

는 새로운 목적 함수

의 바이어스 값이며, 이 때

값은

의 범주를 가짐으로써 새로운 목적 함수

는 기존의 바이어스를 가지지 않는 목적 함수

의 최대값보다 작은 값을 가지게 된다. 결론적으로, 바이어스 값

를 이용하여 너무 많은 개체가 선택되는 것을 방지할 수 있는 것이다.Where the bias variable

Is the new objective function

Is the bias value of

The value is

New objective function by having

Is an objective function with no existing bias

It will have a value smaller than the maximum value of. In conclusion, the bias value

You can use to prevent too many objects from being selected.

의 두 평가 함수

와

에 대하여 설명하기로 한다.Next, the objective function derived from equation (3)

Two evaluation functions

Wow

This will be described.

의 경우 표 1의 이상 스코어 값을 계수로 가지는 다항식

를 생각할 수 있다.first,

For polynomials, the coefficients for the outliers in Table 1 are coefficients.

You can think of

…… (4)

… … (4)

의 값은 0이고,

의 값은 12,

의 값은 1이 된다.Where i may have a value from 1 to 24, where A = {a _i ,... , a ₂ , a ₁ } means a set of coefficients of the polynomial function. Each coefficient, which is an element of this set, represents an ideal score value in Table 1. In other words,

Has a value of 0,

The value of is 12,

The value of 1 is 1.

When using the objective function (4), an over fitting phenomenon occurs, where too high an evaluation value is generated.Too many objects are selected using a bias value as shown in Equation (3), and the evolution process is appropriately performed. It is possible to prevent the overfit phenomenon that is not performed.

를 고려한 새로운 이상 스코어 함수를 유도한다. 이 때 바이어스

는 수식 (4)에서의 다항식

에만 적용되는 변수이다. 역시 이 바이어스의 최대값은 수식 (4)의 이상 스코어 함수인

의 최대값을 넘지 못한다.Bias in order to prevent overfitting of the abnormal score function of equation (4)

A new ideal score function is considered. When the bias

Is the polynomial in equation (4)

Variables that apply only to Again, the maximum value of this bias is the ideal score function of equation (4)

Do not exceed the maximum of.

…… (5)

… … (5)

…… (6)

… … (6)

에 대하여도 수식 (6)의 함수와 유사한 함수를 고려할 수 있다. 먼저 표 1의 통신 스코어를 이용하여 수식 (7) 과 같은 다항식을 유도할 수 있다.Similarly, the communication score function

Similar functions can be considered with respect to Equation (6). First, a polynomial such as Equation (7) can be derived using the communication scores in Table 1.

…(7)

… (7)

In the derivation process of Equation (7), the basic process is the same as the process of deriving the abnormal score function described above. However, unlike Equation (6), Equation (7) reflects the characteristics of a general communication process, and thus, each coefficient of the polynomial may be grouped based on three characteristics as follows.

는 통신 스코어들의 집합이고, 계수

,

,

는 각각 표 1에서 정적 특성(Static(S)), 종속 특성(Dependent(De)), 동적 특성(Dynamic(Dy))인 경우 적용되는 계수에 해당한다. 이 때 수식 (6)과 마찬가지로 통신 스코어 함수

의 오버 피팅을 막기 위하여 바이어스 변수

을 적용하여 다음과 같은 수식을 유도할 수 있다.That is, here

Is a set of communication scores, and

,

,

In Table 1, respectively, the coefficients applied to the static characteristics (Static (S)), dependent characteristics (Dependent (De)), and dynamic characteristics (Dynamic (Dy)) correspond. At this time, as in Equation (6), communication score function

Bias variable to prevent overfitting

You can derive the following equation by applying.

…… (8)

… … (8)

…… (9)

… … (9)

,

,

는 각각 대표 계수

,

,

를 가지는 개체 인자들의 집합이다. 또한 각 계수는 각 정상적인 통신 과정에 있어서 사용되는 필드의 중요도를 평가하는 변수로서 본 발명에서는 표 2와 같은 범주 안의 값을 취한다. 이 때

는 통신 스코어 집단 계수들의 변수 값 범주에서의 초기값을 의미하며, 실험적인 결과에 의하여 각 그룹은 1:2:3의 비율로 가중치를 부여하였다.here

,

,

Are representative coefficients respectively

,

,

Is a set of object arguments. In addition, each coefficient is a variable for evaluating the importance of the field used in each normal communication process, and the present invention takes values within the categories shown in Table 2 below. At this time

Denotes an initial value in a variable value category of communication score group coefficients, and according to experimental results, each group is weighted at a ratio of 1: 2: 3.

Field properties category

)Static (

) 0 <α ≤

Dependent (

)

<β ≤ 2 *

Dynamic (

) 2*

<γ ≤ 3 *

를 유도할 수 있다.Finally, the final evaluation function using formulas (6) and (9)

Can be derived.

The final evaluation function of equation (10) is used to select the appropriate individual for each generation in the process of finding the optimal solution of the genetic algorithm. In addition, using these evaluation functions, selected entities perform evolutionary processes such as reproduction, crossover, and mutation.

The packet feature selection module repeats the genetic algorithm evaluation function described above to select the most important fields of the packet. For example, the packet feature selection module creates 100 random gene instances (packets) and calculates an evaluation function to select the most appropriate entity. That is, the last entity includes fields desired by the administrator, and the packet feature selection module conveys to the packet preprocessing module which fields correspond to the fields.

3 is a flowchart illustrating a network intrusion detection method according to another embodiment of the present invention.

First, the network intrusion detection system selects a field to be considered when determining intrusion detection (S301). This field selection process is characterized in that the selection in consideration of the importance for each field present in the header area of the packet.

The network intrusion detection system collects packets existing in the network (S302). In addition, the network intrusion detection system extracts only the field selected in step S301 of the collected packets (S303), and checks whether an abnormal intrusion exists in the network using the extracted fields (S304).

4 is a flowchart illustrating a packet feature selection method according to another embodiment of the present invention.

At this time, the process according to FIG. 4 corresponds to processes included in process S301 of FIG. 3.

First, the network manager checks the structure of packets to be collected and checked (S401). For example, the network manager checks the fields (24 fields in Table 1) to be reflected in the evaluation function in the TCP / IP packet.

The network manager determines an evaluation function by considering correlation with malicious packets for each field and inputs the evaluation function to the network management system (S402). In the present invention, the field is considered an anomaly score used for an abnormal behavior attack and a communication score which is field characteristic information in a communication process. Here, the communication score means the type of field, and each field has one of static, dynamic, and dependent characteristics.

The network security system randomly generates a predetermined number of gene entities, that is, packets (S403). The intrusion suitability value is calculated by substituting the field information of the randomly calculated packet into the evaluation function determined in step S402 (S404). It is checked whether the calculated intrusion suitability value is equal to or greater than a predetermined reference value (S405). If the intrusion suitability is more than the reference value through this process, the packet survives (S406), and the packet whose intrusion suitability is less than the reference value is discarded (S407). The evaluation function of S404 to S406 is repeated for all packets generated in step S403.

The network intrusion detection system determines whether evaluation function calculation has been performed for all packets (S408). If the intrusion suitability calculation is made for all packets, it is determined whether there is one surviving packet (S409). If the number of surviving packets is not one, the intrusion suitability calculation process (S404 to S406) is performed again on the surviving packets by adjusting the bias value of the evaluation function (S410). Through such a method, the network intrusion detection system may extract field information of the last packet that survived and use it in the step S303 (S411). If any field in the last surviving packet is 1, the field may be considered to be deeply related to network intrusion. In this way, the network intrusion detection system selects a field having a value of 1 among the fields of the last surviving packet.

5 is a flowchart illustrating a network intrusion detection method according to another embodiment of the present invention.

The network intrusion detection method of FIG. 5 is a method for checking the existence of a network invasion by determining the similarity between the last surviving packet and the packet present on the network by the process S409 of FIG. 4.

First, the network intrusion detection system stores the last surviving packet as a reference packet according to the method of FIG. 4 (S501). The network intrusion detection system may further include a memory unit for storing the sample packet.

The network intrusion detection system now collects packets existing in the network to check whether there is an intrusion in the network (S502). In addition, in order to compare the collected packet with the reference packet stored in the database, a preprocessing operation is performed (S503). This pretreatment operation means a process of extraction, modification and substitution as described above.

Now, the network intrusion detection system calculates a packet similarity by comparing the packet on which the preprocessing operation is performed with the reference packet (S504). If the similarity is greater than or equal to a predetermined value, the collected packet is a packet for network intrusion and thus is reported to the network administrator and a log file is created (S505). If the packet similarity is less than a predetermined value, the network intrusion detection system creates a log file without separately reporting (S506).

The preferred embodiment of the present invention has been described above. The present invention is not limited to the above-described embodiment, and various modifications can be made by anyone having ordinary skill in the art to which the present invention pertains.

As described above, according to the network security system and the method applying the genetic algorithm according to the present invention, by using the genetic algorithm-based feature selection method, the packet information having a greater meaning among the information inside the TCP / IP packets It can be extracted, and by checking the received packet using only important packet information, it can contribute to the improvement of detection speed and detection rate.

Claims (11)

In the network intrusion detection method, Generating at least one sample packet; Calculating an intrusion suitability value by substituting the field value of the sample packet as a variable value of an evaluation function reflecting the importance of each field of the packet; Remaining the sample packet when the intrusion suitability value is equal to or greater than a predetermined reference value; And And determining whether the network has been invaded by measuring the similarity between the packets collected from the network and the remaining sample packets. The method of claim 1, Evaluation function reflecting the importance of each field of the sample packet, The network intrusion detection method, characterized in that the field of the packet reflects an anomaly score (Communication Score) that is used for abnormal behavior attack (Anomaly Score) and field characteristic information. The method of claim 2, The intrusion suitability value of the sample packet is Network intrusion detection method calculated according to the following equation.

here,

Is

Intrusion suitability values for packets

Of the packet

The number of times the first field was used in an unusual attack,

Of the sample packet

The value of the first field,

,

,

Is the number of fields each having static, dependent, and dynamic properties,

,

,

Is a reflection coefficient of a field with static, dependent, and dynamic properties,

Is a predetermined bias value. The method of claim 3, remind

,

,

Is 1: 2: 3 ratio of network intrusion detection method. In the network intrusion detection method, Selecting at least one reference field for determining network intrusion by applying a genetic algorithm using an evaluation function reflecting the importance of each field of the packet; Wow Extracting information of a reference field for determining whether the network has been invaded from packets collected from a network, and determining whether the network has been invaded using the extracted field information. The method of claim 5, Selecting a reference field for determining whether the network invasion by applying the genetic algorithm, Generating at least one sample packet; Calculating an intrusion suitability value by substituting the sample packet field value into a variable of the evaluation function; Remaining only a sample packet whose intrusion suitability value is equal to or greater than a predetermined reference value; And And selecting a field for determining network intrusion using the remaining field of a sample packet. In the network intrusion detection system, A packet feature selection module for selecting at least one reference field for determining network intrusion by applying a genetic algorithm using an evaluation function reflecting the importance of each field of the packet; A packet collecting module for collecting a packet present on a network; A packet preprocessing module for extracting information of a reference field selected by the packet feature selection module among the collected packets; And Network intrusion detection system including an intrusion detection engine module for determining whether the network intrusion using the extracted reference field information. The method of claim 7, wherein The packet feature selection module, A sample packet generation unit generating at least one sample packet; An evaluation function calculator for calculating an intrusion suitability value by assigning a bit value of the generated sample packet field to a variable of the evaluation function; A sample packet selection unit for selecting a sample packet having the calculated intrusion suitability value equal to or greater than a predetermined reference value; And And a feature field selector configured to select a reference field for determining network intrusion using the selected sample packet field. The method of claim 8, The evaluation function is The network intrusion detection system, characterized in that the field of the packet reflects an anomaly score (Communication Score) that is used for abnormal behavior attack (Anomaly Score) and field characteristic information. The method of claim 9, The intrusion suitability value of the sample packet is Network intrusion detection system calculated according to the following equation.

here,

Is

Intrusion suitability values for packets

Of the packet

The number of times the first field was used in an unusual attack,

Of the sample packet

The value of the first field,

,

,

Is the number of fields each having static, dependent, and dynamic properties,

,

,

Is a reflection coefficient of a field with static, dependent, and dynamic properties,

Is a predetermined bias value. The method of claim 10, remind

,

,

Is a 1: 2: 3 ratio.

Images