Analysis on the Application of Data Mining in Network Intrusion Detection

This article first introduces the basic knowledge of network security, intrusion detection, and data mining. After analyzing the shortcomings of the traditional network intrusion detection technology, the existing model structure is improved by using association rules and clustering rules in data mining to improve the efficiency and accuracy of Network Intrusion Detection Systems Based on Data Mining. At present, computer networks are widely used in various fields, which undoubtedly brings convenience to people's lives, studies, and work. At the same time, they also put forward higher requirements on network security. In the form of modern information development, a secure network system is required not only to have defense measures, but also to have firewall and other defense measures, but also to monitor network security in real time, network Intrusion Detection System for attack and anti-attack. In this case, the intrusion detection system emerged.

1. Necessity of Intrusion Detection

An intrusion detection system is a security auxiliary system built for an existing information system based on certain security policies. As for the current system security situation, the system is likely to be attacked. When the system is attacked, as long as it is detected as much as possible, or even in real time, it can provide favorable information for intrusion detection. As a new generation of security technology, intrusion detection is used to identify intruders, identify intrusions, detect and monitor successful security breakthroughs, and provide important information to combat intrusions in a timely manner, prevent intrusions and expand events. How can we obtain the data that is used to detect intrusions in the face of massive data in the network? To this end, we have introduced a Data Mining Method to discover possible new intrusions.

2. Knowledge about Network Data Mining

Data mining refers to extracting people's interest from large databases or data warehouses. However, this knowledge is implicit, unknown, abnormal, and potentially useful information or patterns, it is a new field of great application value in database research. The purpose of data mining is to help users find potential associations between data and discover ignored elements. This information may be very useful for predicting trends and making decisions.

With the development of network intrusion detection technology, people have been focusing on applying Web data mining technology to the Development of intrusion detection technology. If we can fully apply the data mining technology to network intrusion detection, according to the specific characteristics of the intrusion detection system, the basic principles of applying data mining are combined to optimize them, which will greatly improve the performance of the intrusion detection system.

3. Application of Data Mining Technology in Intrusion Detection

Using Data Mining Technology in the intrusion detection system, you can analyze useful historical data to extract user behavior characteristics and summarize the rules of intrusion behavior, therefore, a complete rule library is established for intrusion detection. This process can be divided into the following steps:

1) Data collection. Network-based detection system data comes from the network.

2) data preprocessing: the quality of training data in Data Mining directly affects the accuracy of extracted user features and derived rules.

3) Data Mining: Extracts user behavior characteristics or rules from pre-processed data, merges and updates the obtained rules, and creates a rule repository.

The following describes the existing network intrusion detection model structure chart based on data mining and makes some optimizations.

This article first introduces the basic knowledge of network security, intrusion detection, and data mining. After analyzing the shortcomings of the traditional network intrusion detection technology, the existing model structure is improved by using association rules and clustering rules in data mining to improve the efficiency and accuracy of Network Intrusion Detection Systems Based on Data Mining.

3.1 A model combining misuse detection and exception detection

Wei bizhong, Wang Yong, and Zhang Kaihua improved the comprehensive misuse detection and exception detection model in "Application Analysis of Data Mining Technology in Network Intrusion Detection", as shown in 1.

Figure 1 Comprehensive misuse detection and exception detection model

As shown in figure 2, it is a network intrusion detection model based on data mining that combines the exception detection and Misuse Detection Models. The advantage of this network intrusion detection model is that the amount of data to be analyzed is indeed reduced by combining misuse detectors and anomaly detectors. However, this system has the following Disadvantages: When the anomaly detector detects a new intrusion detection, it only updates the anomaly detector and does not apply favorable conditions to update the misuse detector. This undoubtedly increases the workload of the exception detector to be repetitive and unnecessary. On this basis, can we update both the exception detection and misuse detection when detecting new intrusions? Based on the shortcomings of the above system, the following improvement methods are proposed.

3.2 System Structure Improvement

Based on Figure 1, we have improved its comprehensive detection model to form a more favorable data mining-based intrusion detection model. 2.

Figure 2 Misuse Detection and exception detection after improvement

Figure 2 is optimized based on the model of integrated misuse detector and anomaly detector. In this model, network packets obtained from the network are first sent to the data pre-processor, which processes the packets obtained from the network, then, use association rules to find representative rules, set people to join the rule set, and then use clustering rules to optimize the clustering of the two values of the Support and credibility obtained by association rules. After clustering, we can delete some normal data according to the specified closed value. After this operation, the data volume to be analyzed is undoubtedly reduced. Then, the remaining data is sent to the misuse Detector for detection. If the misuse detector does not detect the attack, the data is sent to the anomaly detector for detection, which is the same as that in the previous example, this exception detector is also equivalent to a filter. This step filters out a large amount of normal data and reduces the amount of data, facilitating future mining. Another major feature of the system is that it no longer performs repeated detection on the same data for the next time, and uses updates to the data warehouse to further improve the exception detector and misuse detector, that is, update the abnormal detector and misuse Detector Based on the detection results of the anomaly detector. If the behavior is determined to be a normal behavior, update the abnormal detector. If the behavior is measured to be an attack behavior, the misuse detector is updated to record this behavior so that repeated detection can be performed next time. For example, when the exception detector detects a new network intrusion method. That is to say, after the anomaly detector detects a new intrusion detection, it can update both the anomaly detector and the misuse detector through the data warehouse update. This reduces the amount of data to be analyzed and improves the detection speed and efficiency.

At present, the intrusion detection technology is not mature enough. How can we greatly improve the network and host's resistance to attacks and improper use, so that the implementation of security measures is more effective, reducing False Alarm Rate and false alarm rate, and making the setting options more flexible will be the research direction of Data Mining Technology in network intrusion detection.