A Distributed Intrusion Detection Framework In Large-scale Networks

Intrusion Detection is an essential component of critical infrastructure protection mechanisms. Nowdays, with the development of computer and network technologies, the wide adoption of distributed computing environment, and the recent appearance of distributed Denial-of-Service (DDoS) attacks, traditional centralized intrusion detection systems, which only concern their local network environments or a single host, are proved to be not sufficient. As a result, Distributed Intrusion Detection Systems appear, and develop into one of the focus of Intrusion Detection research realm. This thesis describes a Distributed Intrusion Detection prototype system used in large-scale networks.Through describing some typical systems, we analyze models and structures widely adopted by most of current Distributed Intrusion Detection Systems (DIDS). Considering the advantages and disadvantages of these models and structures, we choose Hierarchical Cooperation Model to construct our system, which integrates the advantages of hierarchical model and collaborative model. Components in our systems are classified to Sensor and Analyzer. There are one analyzer and several sensors in each domain, and sensors are subordinate to the analyzer. Sensors collect audit data, detect anomaly events, and report these to the analyzer in this domain. Analyzer integrates information provided by all these sensors, and collaborates with analyzers in other domains in detection and response.The traditional pure "knowledge engineering" process of building Intrusion Detection Systems (IDSs) has limited extensibility in the face of changed or updated network configurations, and poor adaptability in the face of new attack methods. Our system uses data mining algorisms to analyze network-based and host-based audit data, and to generate intrusion detection rules and models automatically. After data mining process, our system also distributes these intrusion detection models and rules to other detection components automatically. Then when unknown attacks take place, sensors can detect subsequent similar attacks, sparing administrators coding anddistributing rules manually.Components in Intrusion Detection need to communicate to each other, which requires uniform communication form. We choose Intrusion Detection Message Exchange Format (IDMEF) defined by IDWG of IETF. The types of message used in our system are more than those defined in IDMEF. So we extend the IDMEF to support audit data report, detection rules distribution, response instruction, and cooperative analysis in the system.This thesis describes in detail the whole process of sensors detect anomaly events in networks, collect audit data, report to superior analyzer, execute response instruction; and the process of analyzers mine audit data, synthesize information from sensors, cooperate with other analyzers, and make distributed response to attacks. Last, we put forward feasible detection and response scenario for Distributed Denial-of-Service (DDoS) in our system.