| As the rapid development of the network applications, More and more attentionWas focused by the people. Large scale distributed intrusion detection system had been implemented already. But people have two puzzled thinking: 1. if these system can detect the intrusions indeed, 2. in the large backgound traffic, if these system can show the good performace.. So when we evaluate IDS, we will pay our attention on these two facts.First , this paper has made a short introduction to two kinds of IDS including there arithmetic.and implemnt, next, in this paper , we have bring forward a new kind of IDS data collector model and we also did some test to verify this model.In the design of the data collector, we have a brief study on the traditional IDS data collector, on this base , we consider that the traditional IDS collector has the problems that waste Band-width and inefficiency. So ,we have put forward using "initiative discard packag" method based on the sampling technology. Because in the backgroud of backbone network, it is impossible to detect all the triffic,. On this fact ,we have given a possible model to solve this hard problem. In our model ,there has four parts: basic term and defination, equation eprobility simple random sampling data collector standard satisfied curve , defination of detection precision and testify. For the convenience of the construction of the model , we first define the basic concept which are need by the defination, then we use sampling technology and probability theory and math expectation formula to give the equation eprobility simple random sampling data collector standard satisfied curve. On this base ,we have made some extend, then give the equation eprobility simple random sampling data collector satisfied curve. And this model is the math base of our data collector.After we have reach equation eprobility simple random sampling data collector standard satisfied curve, we have made some study on the error range. At the same time we have given some parameter , these parameter are the important guideline to evaluate the error range of our model.At last, we have made a determination the nature and ration discuss, and give the computing formula to compute the number which the detection need. The formula has two branch: 1. the attack traffice is the big portion of the all traffic, we can use the simple random sampling data collector standard satisfied curve model to compute. 2. the attack traffice is the small portion of the all traffic, we can use the rare event model to compute.the number.In our test , we have done the testing according to our model request, the testing result accord with the model that we have expect. This model has give a fit explanation to the so-called "strang thing" that Beijing Venustech Co., Ltd has met that when packag are discard a lot, but the detect capability is not fall down.
|
PDF Full Text Request