Abstract: When the host has intrusion data with delayed response characteristics, the existing judgment mode is disconnected from the delayed data, resulting in distorted judgment of data association confidence between nodes and failure of intrusion detection. A method to judge the confidence of intrusion data association is proposed. Under the host security protection framework, the host firewall packet filtering technology is used to eliminate abnormal data. The security node is placed in the host by distributed deployment, and intrusion detection is carried out by using mathematical model technology. By analyzing the association between normal data, the association confidence between data is determined, and then the intrusion judgment is completed. The experimental results show that the security and effectiveness of the host security protection system are verified by testing the successful times of virus and Trojan attacks with delay characteristics, the time used for packet monitoring, and the functional coverage. 

Key words: data association analysis, host safety protection, system design, firewall packet filtering, delay characteristics