With intrusion detection technology explored, and the cause of some important issues in intusion detection field that must be resolved immediately annalyzed, an Enhanced Intrusion Detection Agent (E_NIDA) , , is presented, which works under the Agent-based Distributed Intrusion Detection framework, with an enhanced detection engine inside, and obtaining decision-making information from an Assistant Information Collecting Agent (A_ICA) . With cooperation of E_NIDA and A_ICA, the performance of intrusion detection system can be improved and false positives can be mitigated drastically.A_ICA is responsible for collectiing informaiton of system or application server software of hosts in subnet monitored, which are provided for help the E_NIDA making decisions. A_ICA recognises system of application softwares' name and version by several means including "fingerprint" identifying technique, and produces a profile of each host. Multi-process mechanism improves its performance and Plug-in mechanism gives it a better expansibility.E_NIDA detects intrusion by signature-based pattern-match. Protocol analysis and decision-making information helps improve detection speed, by minimizing the scope of search and reducing the frequency of match. With extended intrusion signatures, E_NIDA generates much less false positives.E_NIDA and A_ICA are implemented in prototype. In pairs controlled by a certer console, they can be deployed in arbitary number, that brings the whole system good distribute and scalable ability. A_ICAs, E_NIDAs, a datamining agent and a center console compose a whole intrusion detection system, which is proved a feasible and effective intrusion detection system by practical test. |