Design And Implementation Of A Distributed Intrusion Detection System For Campus Network

With the rapid development of internet, the security problem of computer system and network is more and more serious. Now, one can download kinds of attack tools from internet and plentiful new methods of intrusion appear continuously. It makes network attack to be more easily. Especially MMC (Malicious Mobile Code) such as internet worm and so on has made global scale internet paralysis for many times. Intrusion Detection technology is one of important component of network security architecture. The urgent requirement of Intrusion Detection System causes the relative research into a hot-spot topic of network security field. This paper first introduced the concept, classification and history of Intrusion Detection technology, summarized its present situation and development tendency. Then in view of the Intrusion Detection requirement of campus net, designed and implemented a distributed Intrusion Detection System for campus network. The system can collect information by Monitor Agents (MA) on network nodes, carry on the combination of data by Statistical Server (SS), finally accomplish the analysis by Manage Server (MS) and send out alert messages to administrators.This system has three functions: misused detection, anomaly detection, and attack source traceback. Misused detection focuses on the intrusions whose characters have been known, such as virus, worm and so on. It implements functions of data combination and statistical analysis basing on Snort software. And then it completes the automatic renewal of Sensors intrusion signatures by Intrusion Signature Exchange Protocol (ISEP); Anomaly detection collects and analyses traffic data from many MAs, then detects the anomaly signature by SS. Aiming at detection of the new unknown worms, we designed and implemented a detection algorithm of internet worm eruption. This algorithm can find anomaly in the forepart of worm eruption according to variable rate of network traffic. Thus it causes network administrators and emergency response teams obtain more reaction time to make responses before network blocks down. To prevent Distributed Denial of Service (DDoS) attacks of their fake source address, this system has also contained an attack source traceback subsystem. It can locate such attacker's real position when intrusion occurs.This system has partially been tested in Tsinghua University campus net and achieved anticipated effects.