Mlsi-Based Multi-Host Intrusion Detection System

With the development of Internet, continuous increase of forms and importance of applications based on network, the need to insure security of computer systems has become more and more essential and challenging. Nowadays many kinds of static security technologies, such as firewall and data cryptography, have been mature. However, they still cannot meet the requirement of finding out the incursion initially and prevent the attacks from crackers. The technique of intrusion detection watches the computer and network resources for malicious activities. It detects not only the intrusion form the outside, but also unauthorized actions of intranet users. Therefore it becomes a hot topic in the area of network security.Based on the analysis of the attack mechanisms, this paper quote the definition of MLSI, which was proposed by the Japanese researchers, to build a MLSI-based Multi-host intrusion detection system. When detecting intrusions, the system needs only a few MLSIs instead of hundreds of attack signatures as other IDSs do, so it can solve some of the problems of current IDSs.Based on a detailed analysis of the method proposed by Forrest et al., this paper introduced an improved new metric, called event counter, to perform anomaly detection. Firstly, it check MLSI in audit log, and then compare the suspicious sequence with those in database to find out whether an intrusion occurs, so it can improve the efficiency and accuracy of detections and reduce the load of the host.Finally, a prototype system is built and experiments examining the efficiency of the anomaly detection method are presented. Theory analysis and the result of experiments show that MLSI can effectively identify intrusions. The method can greatly reduce the overhead of the host. All these show that the MLSI-based Multi-host intrusion detection system and the improved new anomaly detection method proposed by this paper are effective and feasible.