A Session Oriented Intrusion Detection Model

With the development of computer networks and the Internet, more and more attention is being paid to network security by researchers. Increasing illegal intrusion behaviors in the network are heavily affecting the network performance and threatening individual privacies. Under such an application background, Intrusion Detection System (IDS), which identifies behaviors that attempt to breach the boundary of protected networks and provides possible responding ability, began to develop rapidly.Recently, with the development of network technology and the release of a great volume of freeware, intruders have also enhanced their research in IDS. The attacking technology has developed rapidly. In scale, it has developed from individual attack to large-scale, organized and distributed intrusion. In attacking method and tools, it has become more snugly and destructively. In attacking frequency, attacking events have grown up with exponential rate. Under such a background, this thesis does research in building a session oriented intrusion detection model, and applies it to the Monster3.0 system, which is an IPS (Intrusion Prevention System) with the ability of intrusion detection, intrusion response and firewall.Firstly in this thesis, current misuse detection technology has been addressed and analyzed. Combined with the demand of application, this thesis presents the basic concepts and principle of session, and puts forward a session oriented detection model which consists of two steps: reconstructing TCP session from the network packets, and analyzing the session for intrusion signature. The reconstructing algorithm collects the packets from the network, extracts the four tuples of TCP, including source address, source port, destination address and destination port, and according to them reconstructs the session. Then based on TCP layer and its upper layer, this algorithm divides the process of the session into sentences. Considering the performance of the IDS, the network behavior of session streams is studied, and the cost of the system is evaluated.Aiming to reduce the false positive and false negative, this thesis builds a detection model to analyze both the internal structure of a sentence and the relationship among sentences. The detection model first puts forward a basic pattern match model, and then derives the model from the three compontents, that is, the pattern string, text and the algorithm of pattern match. The relationship of sentences is analyzed by constructing protocol automation. The detection model also discusses the design of the rules and their compilation.How to integrate the Session Oriented Detection Model into the system of Monster3.0 is discussed in later chapter. The detection module in the Monster provides three different grains of detection ability. By constructing a system architecture frame, the analyzer of session is integrated into the Monster3.0 system.In the end part of this thesis, a brief summary is given, which lists the results of the research work and the deficiency of the work, and indicates the way for further research.The session oriented intrusion detection model is based on the current detection system, and extends the functionality and ability from the aspects of the detection object, the expression of signature and the method of pattern match etc. By doing so, it enriches the detection ability of the system of Monster, improve the monitor and safeguard ability to a high level, and provide a base for further research in the field such as intrusion detecion system and network behavior based on session.