Agent Peer-based Distributed Intrusion Detection System

With the developing of increasing demanding of computer security, traditional firewall and single port intrusion detection technology cannot fulfill the demand of defending the intrusions, and the distributed intrusion detection technology becomes an important research area. In this paper, we have done some researches on the key technology of agent based high performance peer-to-peer distributed intrusion detection system, including the technology of distributed intrusion detection, theory of agent, high performance still agent for networking packets, high performance still agent for computer audit data, peer-to-peer distributed intrusion detection model, high performance model extension, and et al. Based on the above research contents, we have designed a system, called APDIDS, with the name of Agent based P2P Distributed Intrusion Detection System.To solve the low performance problem in traditional distributed intrusion detection system, this paper designed two kinds of high performance model for network packets and computer audit data separately.Distributed intrusion detection system collects data based on sensors, and send data to still agent (also, local agent) for analysis. Still agents are generally placed on the different inner places of sub-net to monitor them. With the development of network bandwidth, still agent need to work on 1Gpbs network or even more. It is hard for traditional distributed intrusion detection systems to catch up with the line speed.In this paper, we analysis the still model for network packets, such as snort, and proposed a method based on dynamic pattern set loading. This method partitions the pattern set based on function of pattern set and let still agents dynamic loading them, in order to achieve the performance of still agents.To protect the important computer, many audit data are generating from different parts of it for future auditing. Another kind of still agents is used to analyze this kind of audit data. To middle or large scale network, the important computers are always "Web Server", "Mail Server" like computers, which have many concurrent accessing and generate huge audit data. If this kind of still agent runs on the important computer, the computing requirement for analyzing audit data will cause many...