Hybrid intrusion detection method based on Internet protocol version 6

Abstract

A composite intrusion detection method based on an Internet protocol edition 6 effectively improves the accuracy and reduces the rate of false alarm by using a composite detection mean, and is suitable for the new requirements of IPv6 to the intrusion detection method. The method is divided into three parts, namely the design of an overall framework by using composite intrusion detection, the division of a sub module and an intrusion identifying method. The method comprises the following steps: introducing the sub-module of a variable feature database; matching a data package captured with the variable feature base firstly; immediately transferring into an alarm sub module if the matching is realized, so that an intrusion detection system can detect the intrusion of networks more rapidly, thereby improving the efficiency of the intrusion detection. Simultaneously, the adjacent network sharing proposal of the variable feature base can capture an intrusion feature in the networks in advance through the mutual reproduction of the variable feature base of the adjacent network when the network is not intruded, thereby facilitating the adoption of corresponding measures as soon as possible and improving the integral safety of the networks.

Description

technical field [0001] The present invention adopts a distributed overall architecture based on the combination of network and host, uses hybrid detection methods, can effectively improve accuracy, reduce false alarm rate, and adapt to the requirements of IPv6 (Internet Protocol 6) for intrusion detection systems. The new requirements belong to the technical field of cybersecurity. Background technique [0002] Overview of IPv6 [0003] IPv6 is the abbreviation of "Internet Protocol Version 6", also known as the next generation Internet protocol, which is a new IP protocol designed by IETF to replace the current IPv4 protocol. IPv6 is proposed to solve some problems and deficiencies existing in IPv4, mainly in address space, data header structure, address automatic configuration, data transmission security (IPSec protocol), quality of service (QoS) and other aspects have been improved. The main impact on the intrusion detection system is the structure of the data packet he...

AI Technical Summary

Problems solved by technology

A typical network communication description mode is a four-dimensional matrix , where ID is a unique identifier for a specific connection, and each unit in the matrix represents a specific connection on the network, which From the source host to the destination host and use a certain service, each unit saves two values: the number of packets passing through the network within a period of time and the amount of data transmitted by these packets. There are two detection methods: (1) The current network communication matrix is ​​compared with a specific pattern matrix. This specific pattern matrix can be a pattern matrix representing a certain intrusion. If the current communication pattern matches it, it means that this kind of intrusion may occur. This kind of intrusion detection corresponds to the aforementioned Misuse intrusion detection; the specific pattern matrix can also be a pattern matrix representing the normal traffic pattern of the network, if the probability of the current communication pattern is too low, it means that anomalies occur, and this kind of intrusion detection corresponds to the abnormal intrusion detection described above; (2 ) uses a series of rules to find specific traffic patterns in the current network communication matrix, so as to discover intrusion or abnormal activities. This method is very important when specific network communication patterns are to be generated, because at this time the previous method has not yet detected in accordance with

Images