The problems for restricting NIDS were investigated. Based on network events and deep protocol analysis, a new model MIDM analyzing and integrating network intrusion was proposed. After extending ABNF to describe network events, a new NIDS was built based on MIDM. Experimental results proved that, comparing to the current mainstream NIDS, the model MIDM can work effectively with less false positive rate and less redundancy of rule base. And if network stream and rule base were extended quickly, the CPU utilization of new model's would remain low growth, which makes MIDM better adapt to high-speed network. And it's also able to detect some unknown attacks and sustain rule generalization.%针对制约NIDS(基于网络的入侵检测系统)的问题,提出了基于网络事件和深度协议分析的入侵检测模型MIDM,实现了对入侵的分析与综合.扩展了ABNF范式形式化定义网络事件,基于所提出模型重新实现了入侵检测系统.实验证明与当前主流NIDS相比,新模型有效降低了误检率和特征库冗余;具有随网络流量和特征库快速增长,而CPU占用率维持低水平增长的特性,能更好地适应高速网络环境;同时还具有一定的特征泛化和检测未知入侵的能力.
展开▼
