Tree-like Hierarchical Management Model And Protocol Flow Analysis In Cooperative Intrusion Prevention System

Increasing of security node will make it more difficult to manage the distributed network security system, and each node controlling security strategy themselves will aggravate probability of conflict among each other, and also single administrator will become the bottleneck and single point of failure of system. At the same time, faced at flow of high speed network, the lower detecting efficiency and higher error alarm rate of the present IDS(Intrusion Detect System) could not assure correct rate of intrusion detecting.To solve these problems, a novel model THMM (Tree-like Hierarchical Management Model) is introduced to the CIPS(Cooperative Intrusion Prevention System), which manages all the MSS(Mrico Security System) on each node in the being protected network. Simultaneity, PFA(Protocol Flow Analysis) is created to increase intrusion detect efficiency and correct rate.In THMM, network protected by CIPS is divided into several domain in logic. MSS is run in each node of these domains. Each domain has its own SA(security Administrator) and THMM manages all of these domains through communication among these SA. THMM validates nodes of a domain by self authentication mechanism, which can avoid protected nodes disengage from domain by malicious user destroy and improve the system security. Dynamic intrusion response mechanism can real-time deal with intrusion to domain and issue it to other nodes of all the domains, which avoids the same destroy to other nodes.PFA-IDS(Protocol Flow Analysis-Intrusion Detection System) primarily completes the following functions: (1) collect network data flow through the network sniffer module, which supplies data resource to intrusion analysis. (2) through configuring detect rule list, build intrusion detect rule set which based on pattern match. (3) through analyzing data packet, deal with data packet and detect intrusion from network layer and transfer layer. (4) analyzing protocol data from application layer based on protocol flow. Based on analysis of characteristic of network flow, implement PFA-IDS to detect attack action from application layer. (5) report intrusion to administrator by logging alert message. Administrator responses it and executes associate analysis to detect cooperative intrusion action.