暨南大学 硕士学位论文 基于遗传规划的入侵检测系统研究与实现 姓名：陈凤其 申请学位级别：硕士 专业：计算机软件与理论 指导教师：罗伟其 20100608 ? ? I ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? BPF ? ? ? ? ? ? ? ? ? ? ? ? DARPA 99 ? Snort ? ? ?; ?; ?; ? ? ? II ABSTRACT The Internet penetration rate in China maintains a growth momentum in recent years, which promotes the development of some new industries such as E-Business and Online Payment. At the same time, various kinds of network security incidents have arisen ,which poses a threat to the safety of peoples property and demands higher levels of network security technologies including intrusion detection. As an important component of the network security architecture, Intrusion detection system can detect attack attempts. However, traditional intrusion detection system cannot meet current demand of network security due to some problems of its own. Its necessary to get further research for intrusion detection system. First this thesis makes an in-depth analysis of intrusion detection system based on rule detection to get a thorough understanding of the mechanism of common intrusion detection system and the basic structure of detection rules. Then a new intrusion detection system based on genetic programming has been proposed. This intrusion detection system is made up of packet capture engine, detection engine, rule evolution engine, rule selection engine, rule base and other components. The rule evolution engine is the core of the intrusion detection system. According to the principle of genetic programming, new rules will be generated by original rule base and history records of invasion with the rule evolution engine. The performance of detection system will be improved by the potential of detecting new forms of intrusion due to the fact that genetic programming is an effective search optimization technique. The design of the intrusion detection system based on genetic programming is presented in detail. The packet capture engine uses the BPF packet filtering mechanism, which allows us to capture packets that need to detect. In addition, the packet capture engine also supports a data packet parsing and a classification will be done after that. The detection engine is composed of several detection sub-modules, every of which only detects data packets of some special protocols. The rule evolution engine contains several important algorithms, such as cross algorithm, mutation algorithm, rule conflict detection algorithm and so on. The rule selection engine selects rules that qualify both in structure and composition, which ensures that every ? ? III rule updated into rule base is a valid one. Finally, this thesis describes the implementation process of the intrusion detection system based on genetic programming. A comparison with Snort detection system in positive detection rate and false detection rate by DARPA 99 dataset is also presented. Key Words: Network Security; Intrusion Detection System; Detection Rule; Genetic Programming ? ? VI ? ? 2-1 ?.13 ? 3-1 ? IDS ?.16 ? 3-2 ?.17 ? 3-3 ?.18 ? 3-4 ?.21 ? 3-5 ? IDS ?.22 ? 3-6 ?.23 ? 3-7 ?.24 ? 3-8 ?.26 ? 3-9 ?.35 ? 4-1 ? IDS ?.41 ? 4-2 ?.