Distributed Intrusion Detection System And The Information Fusion Technology Research And Practice

As a dynamic security equipment, Intrusion detection system(IDS) can safeguard information security automatically and real-timely. It is a supplement to the static security equipments such as firewall, so more and more attention has been paid. Now along with the popularization and application of network, The distributed intrusion detection system(DIDS) has become the mainstream of technology development and preceding research field.In the research of intrusion detection technology, on the one hand is how to improve the detecting capability to adapt for the more and more complicated attack methods. On the other hand is to apply the agent technology to the structure design of IDS, so as to adapt for the myriad network, high speed network and distributed heterogeneous network environment. Besides, applying multisensor information fusion technology to D1DS, so as to realize multi-level and multi-side of information process, monitor and evaluation of network security status, the research on that is less comparatively.Our task is to try to combine the technology of multisensor information fusion and distributed intrusion detection, hope to process uniformly all kinds of data and information from multiple heterogeneous distributed sensors so as to evaluate the security situation of all network environment. Therefore, a kind of intrusion detection system adapted for Internet is needed to design and develop, that is called Cyber-IDS. It can be used to do intrusion detection and security response in the myriad heterogeneous network environment. This kind of new generation of IDS must have the ability to distinguish and trace the network activity in cyberspace automatically, so as to monitor all kinds of attack in cyberspace.Aiming at the shortage of intrusion detection system in existence, the idea of distributed intrusion detection system based on multisensor information fusion technology is put forward in this paper, that is Cyber-IDS. Traditional IDS, which consist of host-based IDS and network-based IDS, are limited only to safeguard single host system or network system, the resources and scopes to be protected are localized very much. For the sake of achieving the whole view of attacker's action, so as to keep away the intrusion of attacker ultimately, we must open up our eyes on multiple network and multiple kinds of defending system, andperform intrusion detection to obtain the whole view of attacker's action from multiple distributed system, as opposed to a much more common network centered viewpoint. We need to consider not only the defending from attack, but also the tracing and monitoring of attacker, this is the goal of Cyber-IDS, that is performing intrusion detection from network situation centered viewpoint.In this paper, a kind of system structure adapting for Internet is put forward through research and analysis of system structure of distributed IDS, so the model framework of Cyber-IDS is set up. Cyber-IDS is a multi-agent system that systemize the multiple agents in existence to accomplish the work that can't be done by those single agents. The multi-agent system is not a simple combination of agents, it must has a system structure strict designed so as to fuse the information from multiple sources. The tree-shape hiberarchy strict designed ensure the retractility, robustness, real-time, security, usability and so on.Through research of information fusion system and its combination with the system architecture of Cyber-IDS, the system model of multisensor information fusion that can be used to perfonn intrusion detection is set up. It is composed of function model and architecture model of the system, it can show the multilayer abstract of data. When information is transferred upward in the system structure, the expression layer of the information is also converted from low layer to high layer. At the lowest layer, the original sensor data is converted to information of signal type, and by a series effusion steps, the information can be converted to more abstract numbers and symbols...