Research On Technologies Of Cooperative Post Intrusion Detection Based Upon Mobile Agents

The advancement in information technology promotes the development of security tools directly. From early anti-virus softwares to the later firewalls, and even to the present intrusion detection systems, all of the information security tools become more and more active and intelligent. Nowadays, intrusion detection system has become an important tache of security defense. However, ignoring the processing of alerts, emphasis of research on intrusion detection is focused on selecting suitable data sources and data attributes, inventing new algorithms or developing current ones, enhancing detection accuracy by improving framework of intrusion detection system and enlarging detection range, as well as reducing false negative and positive, which causes too heavy burden on system manager. Mass false and unrelated alerts cover the true ones, affecting the efficiency and success rate of intrusion response. As a result, people need to design and implement intrusion detection system from a novel angle.To solve the problems of intrusion detection systems, research on the cooperative intrusion detection system, alert correlation and response traceback after analyzing the situation of current intrusion detection has been done in depth. Considering the multi-cooperative mechanism as the core, it attempts to do the following work:(1) Through analyzing present cooperative intrusion detection models as well as the related technologies, the related work of alert coorelation and response traceback is present comprehensively. Furtherly, the existing problems of current technologies are discussed. Therefor, it is important to study the cooperative post-intrusion detection model.(2) Based on analyzing of the current intrusion detection models, combining with the features of mobile agents and the corresponding cooperative mechanism, the frame structure of a cooperative intrusion detection system based on mobile agents is proposed. The system has the ability of preventing single failure, avoiding pressure of network load caused by motion of massive data, and fluctuating system modules without affecting others. Independent mobile agents accomplish complicated tasks and achieve intelligent operation of system by mutual communication. Multi-cooperative mechanism ensures the orderliness during the interaction of system modules and strengthens the whole cooperation among them.(3) To discover the attack strategy of alert information, an approach of hybrid correlated alerts based on mobile Agents is put forward. Considering time and space as the two dimensions, this method correlates current alerts with the ones happening simultaneously or the ones occurring before and after them. Predicate formulas are used to express the precondition and consequence. Matching of precondition and consequence between different alerts is achieved by decomposing the predicate formulas, based on which alerts are correlated with each other.(4) A traceback response strategy based on mobile Agents is proposed. Taking the correlated alerts as input, alert information is preprocessed by alert verification and confidence learning. Based on extracting the effective packets and the opposite mechanism of packet marking, attack path of the packet is traced and reconfigured.(5) An integration policy of multi-cooperative mechanism in Co-MAIDS is put forward based on the contents discussed above. This policy integrates multi-cooperative mechanism, having communication cooperative, alert correlation cooperative, cooperative between alert correlation and intrusion response, and intrusion response cooperative as the core. These cooperatives build bridges between information, alert and response, ensuring the orderliness and integrity of the interactions in system.