Research On Key Technologies Of Multiple Heterogeneous IDSes' Collaboration On Intrusion Detection In Large Scale Network

With the rapid development of internet,network and information security has become more and more important.Traditional defence techniques can't satisfy today's security demands, as the times'requirement, intrusion detection technique emerges.However,the problems of false alarm come out,large amounts of IDSes'alarms, which including large volumes of false alarms, make the manager be at loose ends , the practicability of IDSes suffers suspicion. How to reduce false alarms and automatically extract usable information has become the focus problems. On the other hand, in large scale network, multiple or heterogeneous IDSes'collaboration is needed to discover and defend various distributing attacks and coordinated attacks,thus, effectively methods should be developed to fuse and analyze these alerts . Alarm correlation, is just one of the key techniques in IDSes'alarms fusing ,and will be usable in information extracting.But in the first place, the problems such as sharing alerts among heterogeneous IDSes, lessening the impact brought by magnitude of IDSes'false alarms etc. need to be solved. The thesis focuses on above-mentioned issues, and made major contributions as follows:Firstly,aims at the problem of sharing alerts among heterogeneous IDSes. At the present time,various IDSes are quite different in alert format and denominating method, thus collaboration between them as well as sharing alerts among them is difficulty .To solve this problem, we reseach on some prevailing IDSes'alert formats and some standardization drafts in this domain, on this baisis we proposed a scheme to unify IDSes'alert format, which lays the foundation for associating alerts from multiple heterogeneous IDSes in large scale network.Secondly, aims at the problem of false alarms.Magnitude false alarms from bottom IDSes could lead difficulties in IDSes'alarm storing and managering, mislead alert associating process seriously ,bring on wrong analysis result as well as poor efficiency .To sovle this problem,we analyzed the causal of false alarms ,studied the exsisting techniques in false alarm reduction,especially those automatic techniques, summing-up their advantages and disadvantages .In the end, we proposed an adaptable framework to manage IDSes's false alarms. It can 1) deal with alerts from multiple heterogeneous IDSes. 2) adapt to the changing of environment and the movement of attack techniques automatically. 3) filter out false alarms among IDSes'alerts accurately and automatically. 4) auto analyze the effects of filter and adjust itself based on analyzing results. 5) auto analyze alerts and generate alarms which are more abstract and integrated.Thirdly,aims at the technique of alert association. Alert association is important in discovering complex relation of alerts and building abstract high level view of attacks .To effectively asssociate IDSes'alerts,we studied the multisensor data fusion technique and the IDSes'information fusion model proposed by Bass, analyzed the existing association techniques ,classified them on their different associtation theory , analyzing the advantages and disadvantages of them. In the end ,we proposed a model for alarm fusion,which can deal with alert streams and associate heterogeneous IDSes alerts in real time.In the thesis we proposed a scheme for intrusion detection by using multiple heterogeneous IDSes in large scale network,which can effectivly fuse alerts from multiple heterogeneous IDSes,and evidently improve the efficiency of alert analysis and association.