چكيده به لاتين
Intrusion detection systems play an important role in network anomaly detection. New and unknown attacks have magnified the inefficiency of signature-based detection methods, and drew attentions toward anomaly-based detection methods. Despite their great ability in anomaly detection, anomaly-based methods suffer from high rate of false-alarms. Hybrid intrusion detection systems have been developed to reduce the false-alarm rate.
In this thesis, we propose a hybrid four-layered model of intrusion detection. The first layer consists of data flow analysis and service type classification modules. The n-gram statistical technique and the genetic algorithm are used to classify and label the traffic services; i.e., the 1-gram algorithm is used for extracting feature vectors, and the genetic algorithm is used for weighting the extracted features. In the intrusion detection layer, signature-based and anomaly-based detection modules have been implemented in a hybrid manner and called in succession. The decision-making layer is then called based on the results of intrusion detection process. Based on the security configurations, the attack’s nature and the type of required response, the decision-making modules call the notification and event log management layer. In this layer, network administrator is notified and responsive actions are managed if needed. Cross-validation showed that intrusion detection was improved and, in result, the false alarm rate was reduced.
Keywords: Intrusion Detection, False-Positive Rate, Event Log Management, Service Type Classification, Responsive Actions, Cross Validation.
