2010 WASE International Conference on Information Engineering

Data Mining Based Intrusion Detection System in VPN Application

FAN Ya-qin FAN Wen-yong WANG Lin-zhu

College of Communication. College of Communication. College of Communication.
Engineering, Jilin University Engineering, Jilin University Engineering, Jilin University
Changchun 130012, china Changchun 130012, china Changchun 130012, china
[email protected] [email protected] [email protected]

Abstract-In order to solve the problem that the technology safe route have waited if encrypted. But, hacker technology
can not satisfy VPN consumer's need about information also same safe tradition technology can satisfy people's need
insurance for the safety resolving tradition's, in the main body already far from with development of surprising rapidity
of this essay ,we have being aimed at it's safe hidden trouble on swift and violent. With the development of network safety
the basis going deep into the operating principle studying technology, invade check important link in becoming
VPN's, have brought forward one kind of scheme, this scheme
information insurance, it has pinning up the safe technology
passes an introduction invade check system , excavate an
introduction at the same time with the data arriving at invade in tradition, very good problem can not solve by the
have adopted to come to come true owing to that association mechanism having resolved tradition protection
regulation data excavates an algorithm in detecting system.
Indicate result, compete with original network in relatively, II. INTRUSION DETECTION SYSTEM OVERVIEW
this scheme has improved 60% to customer's assurance
coefficient. Be one kind of reliable protection measure, fall off Intrusion Detection System (Intrusion Detection System)
or eliminate from the loss that network attack brings about, IDS surface it looks like network monitoring and alarm
problem can not solve by the mechanism having resolved devices, a kind of observation and analysis of network
tradition protection.
attack has occurred, and to send a warning before the attack,
Keywords-virtual private network; intrusion detection; and then do a corresponding counter-measures to reduce the
data mining huge losses the device may occur.
Intrusion detection system for detecting an attempt to
undermine the integrity of computer resources, authenticity
and availability of software behavior, it can real-time
I. INTRODUCTION
monitoring system activities, real-time discovery of
aggressive behavior and take appropriate measures to avoid
In this technologically developing era, Internet has or minimize the occurrence of attacks generated by attack
become a indispensable role in our daily life. While Internet hazard. For intrusion detection, there are two measurement
virus (hacker) also has attacked our work and life, which has criteria: detection rate and false alarm rate [2-5]. A good
brought about inconvenience and loss. For example: The intrusion detection system requirements for the highest
quilt attacks a server or is paralyzed, the inside data and the possible detection rate and false alarm rate as low as
information quilt are embezzled waiting a minute. These possible due to intrusion detection in user behavior mainly
problems look like being more important to VPN consumer. as a data format, so the core problem is how to correctly and
Pass the data that the centre (CERT/CC) working together efficiently handle the data collected, and reach a
from emergent USA computer response team/ gets. Over the conclusion.
past few years, network every year attacks an event
assuming the exponent trend increasing by. Currently, be III .INTRUSION DETECTION SYSTEM IDS
badly in need of one kind of effective confirmation and FRAMEWORK
control the method that the network attacks, come to the
unnecessary loss bringing about such as cutting down or According to its function, Intrusion Detection System
removing from the network a virus. People has developed can be divided into several parts as follows: Network data
out many safe technologies in recent year, dignity collect and detecting engine; Attack the pattern warehouse;
attestation, pay a visit to have controlled, the fire prevention Give an alarm and respond to; Information is announced. As
wall , the shown in Figure 1.
__________________________________________________________
Project Title：Technology development plan project of jilin province
China。 Project number: 20090513

978-0-7695-4080-1/10 $26.00 © 2010 IEEE 50

DOI 10.1109/ICIE.2010.301
 if s then
return TRUE;
return FALSE;

C. Intrusion Detection Model Based on Data Mining

In the intrusion detection system using data mining

techniques, by analyzing the historical data can be extracted
out of the user's behavior, summed up the law of intrusion,
which established a more comprehensive rule-base to carry
out intrusion detection [6-11]. The process is mainly divided
into the following steps: (1) data collection. (2) Data pre-
processing (3) data mining (4) intrusion detection. 2。The
IV.BASED ON DATA MINING INTRUSION Intrusion Detection Model based on Regulation, cluster-
DETECTION SYSTEM algorithm, classification algorithm being connected is
shown in figure 2.Intrusion Detection System formation
process shown in Figure 3.
A. Data Mining

Data mining generally refers to the massive amounts of

data extracted from the descriptive model of a process.
Mining association rules aim is to find the table from the
data link between the various characteristics of property.
Generally speaking, given a series of records, each record is
a combination of a lot of items, association Y, of support
and confidence.◊rules is given expression in the form of X
The association rule mining is an important data mining
rules, Apriori association mining algorithm is a classical
algorithm that can find a large number of data, an interesting
correlation between item sets and related links.

B.Apriori Algorithm

Apriroi algorithm described as follows:

for each transaction t / / scan D for itemset counting
/ / Get a subset of the candidate set
for each candidate cC
c.count + +;
)
)
return =;
procedure apriori_gen (: frequent (k-1)-itemset;
min_sup: mininum support)
for each itemset
for each itemset
if
then (
/ / Connect to generate candidates
if has_infrequent_subset (c,) then
delete c; / / pruning remove the non-frequent itemsets
)
return C;
procedure has_infrequent_subset (c: candidate k -
itemset;: frequent (k-1)-itemset)
for each (k-1)-subset s of c

51
 The intrusion detection model works is: sniffer from the technology, 2004.11:22-27
[6] Yang Rong. MVPN-new bright spot in mobile value-added services.
host or network is responsible for collecting data is saved to
Modern communications, 2004.10:53-57
the original database, and then the data pre-processing, the [7] ZENG Zhi-feng, Feng Yun-Bo. Virtual private network system design.
formation of processed data sets. Re-use association rules, Beijing University of Posts and Telecommunications, 2007.10:105-192
cluster analysis, classification algorithms to the processed [8] package Lihong, Li-Ya Li. Based on the SSL-VPN technology research.
Network Security Technology and Application ,2004,5:42-44
data mining, extract features and patterns, save it to model
[9] Wu Yan ed. "VPN technology in the enterprise applications of the
the rule base and knowledge base. The intrusion Then we strategy study" . Fudan University Journal .2008.9.20:60-62
should come to the analysis of data difference from the [10] Dai-kun compiled. "VPN and Network Security" . 2006-2:22-26
Knowledge Base to read the rules to determine the invasion, Electronics Industry Publishing House
[11] Li Yang. K-means Clustering Algorithm in Intrusion Detection.
while the rules for updating the warehouse updates. Then
Computer Engineering, 2007,33 (14) :154-156
result (invasive or non-invasive) may be reported to the [12] Su-Yun Wu, Ester Yen. Expert System with Applications, 2009(36):
administrator by the administrator for validation. 5605-5612
[13] Lane T, Carla E B. An Empirical Study of Two Approaches to
Sequence Learning for Anomaly Detection: Machine Learning,
V .INTRUSION DETECTION SYSTEM IN THE VPN
2003,51(1): 73-107
APPLICATION [14] Yan Qiao, Xie Weixin, Yang Bin. An Anomaly Intrusion Detection
Method Based on HMM. Electronics Letters, 2002, 38(13): 663-664
VPN (Virtual Private Network) through the use of tunnels [15] Lee W, Dong X. Information——Theoretic Measures for Anomaly
in a wide area network to transfer data between two Detection. Proc. of the IEEE Symposium on Secuiry and Privacy,
2006: 130-134
networks, VPN network structure shown in Figure 4[12-16]. [16] ZHAO Qiao-xia, MENG Xiang-ru Design and Simulation of
Because of its wide-area data is disseminated on the Security Solution for MPLS VPN [J] Journal of Air Force
Internet, although the adoption of the key security Engineering University(Information Science Edition)).2005,6(4):63-
technology can provide some security, but it does not meet 66.
the security requirements for the relatively high enterprise.
Therefore, we need to use security technology, to use other
security measures will be the introduction of VPN, intrusion
detection systems, so that a higher level VPN security.

Figure 4 VPN Network Structure

REFERENCES

[1] Lee, Texas, Deng Xiaohui. Network virus against the status quo and
Countermeasure technology. Network Security Technology Operation
and applications, 2001,8 (2) :96-100
[2] Wu occasion, Huang Chuan-he, WANG Li-Na and so on. Based on
data mining intrusion detection system. Computer and Applications,
2003,10 (4) :48-54
[3] Wangbing Jun, Wang Shao-Yi compiled. Access Network Technology,
Mechanical Industry Press, 2005-4:74-105
[4] often the ground. MPLS-based technology to build VPN. Shanxi
electronic technology, 2005.5:26-29
[5] Fu-Gang. Mobile VPN solution. Telecommunications design

52