Research On Distributed Intrusion Detection System Architecture

Intrusion detection is an important research realm of network security. With the extension of network scale and distribution of attack method, distributed intrusion detection has developed into the research focus. Main researches of this thesis are about architecture of distributed intrusion detection. The purpose is to build a prototype system of distributed intrusion detection in a large-scale network. More works concentrate on the communication mechanism of system components.After introducing the intrusion detection technology and the communication mechanism, the current researches of distributed intrusion detection systems are investigated, and essential architecture components of distributed intrusion detection are analyzed. Advantages and disadvantages of representative prototype systems are compared. Based on the event notification service that adopts the content-based communication mechanism, a peer-to-peer distributed intrusion detection system model is proposed. As to the aspect of the message contents type definition, IDMEF data model is extended to define the message contents type for requirement. The simple data definition model is provided, for combining the communication mechanism with IDMEF data definition. A distributed intrusion detection prototype system is realized, and a detection and response approach of this system for distributed Denial of service is provided.