Research On Parallel And Distributed Intrusion Detection Technologies

Intrusion detection (ID) is an important technology to protect network security. However, network traffic and volume are increasing with an exponential rate, it is hard for the traditional ID based on single detection engine to satisfy the request of network environment for ID processing speed. As an effective solution, parallel detection system based on traffic slicing algorithm is becoming the research hotspot. Apropos of multi-contact attacks, such as scanning, DDoS etc., it's quite impossible to detect them based on flow information on a single link. Therefore, the distributed detection using multiple sensors, each for a single link, is called. Nevertheless, the existed means are not perfect for both parallel detection and distributed detection. For these reasons, this thesis researches the technologies of both parallel intrusion detection and parallel intrusion detection. It mainly includes proposing a uniformed parallel detection architecture, analyzing different strategies of holding proves and keeping load balance for traffic slicing algorithms, designing a traffic slicing algorithm based on sensor's real-time processing speed, contriving a efficient distributed detection scheme, and developing a colligated platform for the performance evaluation of both parallel and distributed intrusion detection systems. The main work and contributions of the thesis are summarized as follows:1. Integrating the characters of existed parallel detection architecture, an uniformed parallel detection architecture (UPDA) is proposed. UPDA comprises function modules needed for parallel detection. Thereinto, scattering module, mapping & transforming module, detection and analysis module are basic modules. Communication&Management module and coordinator module are main function module. UPDA can be the realizing and evaluating platform for related research works.2. Aiming at the traffic slicing algorithm, different strategies of holding proves and keeping load balance are summarized and analyzed. Traffic slicing algorithm is one of the kernel of parallel detection system. The basic requirements for it are holding proves necessary to detect all the attacks and keeping load balance among sensors. Through analyzing existed traffic slicing algorithms, different strategies of holding proves are classified into attack scenarios slicing based strategy, hash mapping based strategy, flow correlation based strategy and sensor communication based strategy. Different strategies of keeping load balancing are classified into static strategy and dynamic strategy. Dynamic strategy includes activation strategy and proactive strategy. The above summarization and analysis can instruct the design of traffic slicing algorithm.3. A traffic slicing algorithm RTPSF (Real-Time Processing Speed Feedback) based on sensor's real-time processing speed is designed. RTPSF dynamically slices network traffic according to the proportion of sensors'real-time load, and outperforms traditional Round-Robin algorithm in load balancing. RTPSF takes the real-time processing speed of a sensor as the representation of its real-time load. When the size of network traffic overwhelms the capability of the parallel detection system, RTPSF can aware of it and alarm in time. By tracking the working flow of a NIDS, a method of computing the instant processing speed is derived. Then, a formula for estimating the real-time processing speed is deduced from it.4. An efficient distributed detection scheme (EDDS) is contrived. EDDS reduces the storage overhead by introducing mended optimal dynamic bit sharing technology into sensor to measure the spread of sources, and cut down the communication overhead by adopting probabilistic- base communication algorithm, while guarantees the false negative/positive ratios are bounded preset range. Through mathematical analysis, a minimal communication probability P that can guarantee the performance objective is derived.5. A colligated platform, for the performance evaluation of both parallel and distributed intrusion detection systems, is developed. Through function compounding of each module of the platform, the platform can evaluate the performance of both the parallel and distributed detection system. This platform is the foundation of validating the performance of algorithms in this thesis. Besides this platform, peripheral data analysis tools are developed, such as tools for system optimal input parameter selecting, network traffic distribution analysis, experiment result analysis etc.