| Intrusion Detection System plays a key role in the domain of computer network security. Based on in-depth analysis of the current intrusion detection technologies, the paper proposed and established a complete Distributed Intrusion Detection System based on the mobile agent platform. The system has better detection performance with reliability, robustness and adaptability, and other advantages as well as traditional intrusion detection systems.The key technologies of Distributed Intrusion Detection System proposed in this paper include one platform and three subsystems. intrusion detection platform based on mobile agent, host intrusion detection subsystem based on sequence analysis of the system calls, host intrusion detection subsystem based on associated analysis of the user behavior and network intrusion detection subsystem based on immune analysis of the network packet.This paper defines the basic characteristics and the key technical elements of Distributed Intrusion Detection System, and then describes the key role of intelligent mobile agent platform in the Distributed Intrusion Detection System platform. Then, a scenario of the mobile agent location transparency is bringed forward, which can effectively solute location management and messaging about foundation problems of mobile agent platform. Finally, a kind of architecture mobile agent-based distributed intrusion detection system, on the key technology platform, and the related tests. Most of the invasion can achieve the purpose of their destruction via system calls.Based on the stability principle of system calls sequence with the specific procedures, this paper presents a system archtitecture as well as a detailed design based on sequence analysis of system call. Firstly, extracting the system calls information by copying the kernel info to the user buffer. Then, normal mode database is built after a flood of the normal system calls sequence training under no-invasion circumstances. Finally, the system calls sequence, which is obtained by the real-time monitoring specific procedures, match the pattern with the normal mode database, calculate their greatest similarity by Hamming Distance to determine whether there has invasion. The realization of intrusion detection subsystem based on sequence analysis of system call in mobile agent platform has been related tests.Many invasions are bringed by illegle operation of legitimate users to achieve the purpose. Different with sequence analysis of system call, user behavior analysis mainly related to legitimate users of illegal or misuse operation mode. Based on the relevance principles between the before and after ordinary operation of user behavior, this paper presents a system archtitecture as well as a detailed design based on correlation analysis of user behavior. Firstly, legitimate user behavioral characteristics and patterns are defined by using a combination of static and dynamic user behavior model. Then, according to the operating system log information, user behavior data is built on user session by each login. Finally, calculate the similarity of correlation sequence by recursive correlation functional algorithm to determine whether there has invasion. The realization of intrusion detection subsystem based on correlation analysis of user behavior in mobile agent platform has been related tests.Network packet analysis can effectively monitor large-scale computer networks by analysis and processing of large-scale networks data-flow. The natural distribution of immune system is suitable for the needs of Distributed Intrusion Detection System. This paper presents a system archtitecture as well as a detailed design based on immune analysis of network packets in mobile agent platform. The self-characteristics of network packet is expressed with most simple binary and the distance between the packet characteristics is expression with Euler distance. The detection set for the initial use come into being by exhaustive method of simple r continuous match. Moreover, various detection sub-nodes can be independently produce their own detector set. It set up a pool for overall detection set for storage sets derived from the various sub-nodes which has filtered, and produce future generations of the elite population based on the secondary mechanism through clonal selection. After all, undergoing immune tolerance of sub-nodes and the clonal selection of overall node based on the secondary elite search mechanisms, the Intrusion Detection System can make all the sub-nodes and overall node in constant evolution. The probability of detecting vulnerabilities invalid greatly reduced.Finally, a Distributed Intrusion Detection prototype system based on mobile agent platform is proposed and implemented. Experiment results show that mobile agent platform is fully capable of Distributed Intrusion Detection System as reliable and secure platforms, and the sequence analysis subsystem based on system call, relational analysis subsystem based on users'behavior, immune analysis subsystem based on network packets, which run on the mobile agent platform, can achieve the desired objectives completely.
|
PDF Full Text Request