Most activities on the Internet can be recorded as log files of websites and website administrators can inspect log files to locate problems after any network intrusion occurs. However, since log files usually contain a huge quantity of data, without effective methods, it is generally not feasible for administrators to determine the concealed meanings within log files. One method for dealing with this issue is to use neural networks; this is an effective means to distinguish and classify abnormal data in log files, thus alleviating the administrator's burden. This paper presents the results of a study on intrusion detection on IIS (Internet information services) utilizing a hybrid intrusion detection system (IDS). The feasibility of the hybrid IDS is validated based on the Internet scanner system (ISS). In the intrusion detection system proposed, we used four different training data sets: 200, 800, 1400, and 2000. The system is trained either by Taguchi's experimental design or full factorial experimental design under different training data sets; the former can save much more time than the latter. Under Taguchi's experimental design, the best results are obtained when the training data set is of size 1400; overall accuracy in this case is 97.5%. On the contrary, for the full factorial experimental design, the best results are reached when the training data set is of size 2000; overall accuracy is 97.6%. Our study indicates that when to retrain the detector and how much time to allow for this training fully depend on the downgrade percentage of the detection rate, which determines the size of the retraining data set. To reduce the void time for updating the detector, the downgrade percentage should be restricted.

• 出版日期2008-6
• 单位西南交通大学