Study On Intrusion Detection System Based On Mobile Agent Technology

With the rapid development of Internet, more and more computers are suffered from attacking. Currently, attackers have more knowledge and means. Conventional security methods can't meet the demands on security of computer network. With the great extending and speedup of computer network, various data are rapidly increasing, and the problem becomes more serious. Intrusion detection is being an absolutely necessary security method of computer networks. It becomes one of the core techniques in the field of security, and can make up deficiencies of other security methods.Progress on research of the intrusion detection system and techniques has been made, but can't keep up with the development of network. Extension and speedup of network result in increasing substantive information to process. The performance of current intrusion detection systems is declined. They may fail to report attacking event because they can't check all data in time. Faster algorithms and system architectures of intrusion detection must be designed.Based on the above-mentioned research background, this dissertation is planed to speed up detecting and attain high performance of intrusion detection system. Network intrusion detection algorithms and distributed system based on mobile agent are studied. The main contributions of this dissertation are summarized as follows:First, characteristics and merits of intrusion detection system, and mobile agent technology are described. To avoid the single-point failure, a distributed intrusion detection system model based on asynchronization and mobility of mobile agent is proposed. Operations of main agents are given. Experimental results illustrate that the model has high modularization, configuration, scalarity, and adaptation to network topology, and that the model solve the problem of single-point failure in effect, and is of importance to apply in practice.Second, combining Petri Net with Fuzzy theory, FPN (Fuzzy Petri Nets) is introduced into intrusion detection. In this dissertation, FPN is used to solve the problems, such as, conventional intrusion detection system can not use knowledge to reason in parallel, process description of conventional searching model based on Petri net is comprehensive, conventional reasonings have little intelligent. The model proposed in this dissertation adopts FPN as intrusion detection engine. According to existence of reasoning sequence, an improved algorithm based on alarm threshold is given.Third, considering that intrusion detection system inevitably needs string pattern matching, and that efficiency of string pattern matching directly affects the performance of intrusion detection system, a modified string pattern matching algorithm based on the occurrence frequency of character and the idea of dividing and ruling is presented in the dissertation. It can skip over more characters than the ones skipped by Boyer-Moore algorithm which is mostly used at present. Meanwhile, it can be programmed in parallel to accelerate intrusion detection, decrease the whole matching times, and speed up characteristic rule matching of intrusion detection system.Fourth, in order to resolve the problem that current scanning detection algorithms can not recognize hidden scanning and slow scanning, a scanning detection algorithm based on finite machine of protocol status is proposed. It can more exactly detect common scanning, and has effect on hidden scanning and slow scanning which current scanning detection algorithms can not recognize. Experiment indicates that the algorithm can augment the performance of scanning detection, decline the rate of misinformation and alarming times.Fifth, mobile agents need move to some hosts in order to accomplish their task. On the other hand, network topology is dynamical. The way how to transit in dynamical network is in relation to the whole performance of application system based on mobile agent. A mobile agent transition algorithm based on the weighted transition basic map is presented, analyzed, and tested. The results show that it can adapt to dynamical network and has little transition cost.Finally, to enhance strength of intrusion detection system, a reconstruction algorithm based on network load topology, some definitions, theorems, a cute-edge recognition algorithm based on spanning tree, and a previous reconstruction algorithm based on cute-edge and network load topology are presented to solve the failure of network link. These algorithms can make mobile agents uninterruptedly work in their sub connected network, and can enhance the strength of intrusion detection system based on mobile agent, by activating the sub center nodes and their backup nodes.