| Vulnerabilities in computer operating systems, databases, large system and application software, and network protocols are inevitable. Thus, it is a serious issue for computer network security. In fact, network attack occurs very often. Therefore, it is very important to build a defense system for the network. In the network defense system, intrusion detection plays an important role. However, although great effort has been paid to intrusion detection in the past of more than two decades, it is still in the infant stage. The main problems include:â‘ the high false-positive and false-negative rate makes the existing intrusion detection methods difficult to use;â‘¡there is no effective method to detect new attacks created almost everyday;â‘¢distributed attacks make many intrusion detection methods useless; andâ‘£huge data to be processed by an intrusion detection system require prohibitive computation. Motivated by the above problems, this paper presents a novel method that can solve some of the problems to some extent.Noticing that different taxonomy of attacks results in different intrusion detection method that can detect different attacks, a new taxonomy of attacks called object-result-mechanism-characteristics (O-R-M-C) taxonomy is presented. This taxonomy reveals the nature of attacks and makes us easy to capture the essential features of a type of attacks.Based on the O-R-M-C taxonomy, an architecture for distributed and collaborative intrusion detection is further proposed, which contains six levels: sensing, event generating, feature-based detecting, scenario-based detecting, data fusion, and control center.Design and implement four kinds of intrusion detection agents, they are signature-based intrusion detection agent, scenario-based intrusion detection agent, statistical intrusion detection agent and data-fusion-based intrusion detection agent.An attack mainly contains three phases: 1) preparing phase in which an attacker gets information of destination by scanning; 2) attacking phase in which an attacker executes a series of actions; and 3) realizing attack goal.For attacks at phase 1), one can focuses on the object and features from attack mechanism and characteristics, and a detection method is proposed, which is signature-based detection. The signature-based detection is composed of following three modules: feature-based detection module, scenario-based detection module and statistic analysis module.For attacks at phase 2), the attack process creates a scenario, in which the key is whether the goal of an attacker can be reached. Thus, one can focus on the attack result in detecting an attack, and automata model is proposed to describe such scenario. This model can describe the scenarios of a variety of attacks that are derived from a known attack. These attacks are variations of the known attack and form a number of new attacks. Based on the automata model, a detection method is presented, which can detect all the attack variations from a known attack. Because the attack variations are different from the known attack in their signature, they are new attacks in some sense. Hence, the presented method can detect new attacks in this sense.At data fusion level, fusion techniques are presented to cope with distributed attacks. By means of the techniques, some improvements are made. In order to demonstrate the proposed techniques, an intrusion detection prototype system called CoIDM (Collaborative Intrusion Detection Model) is developed and experiments are carried out in our laboratory, which shows that improvements have been made by our methods. In particular, it is verified that some collaborative attacks and multi-session-based attacks could be detected by CoIDM. We also point out the limitations of our work and address the future work.
|
PDF Full Text Request