The Research Of Network Intrusion Detection And Active Response Policy

The computer network has played an important role in the fast developing process of global information-based .And the networking security problem become more serious while people rely on computer network more and more, various kinds of malignant attack and the security incident emerge in an endless stream . Intrusion detection as an important means of safe protection offer the ability to detect intrusion attempting, behavior and result in time for us. Intrusion response can limit, block and eradicate the damage from intrusion according to the result detected . It is already quite ripe to intrusion detection system at present and a lot of outstanding products have appeared. But the research in intrusion response is still relatively limited .We consulted a large number of documents and studied on the foundation of others outstanding achievements to compose this thesis which is about researching of active response policy and automatic response based on intrusion detection .At first, the relevant theories and technology of intrusion detection be discussed in this thesis, including the basic conceptions, detection models, classifications commonly, the principle and technology of anomaly detection and misuse detection. We discuss the advantage and shortcoming of these technology subsequently. Additionally, the application of network intrusion detection system in reality has also been explained .And then the next focused point is intrusion response researching. In this chapter, we introduce the relevant conception of passive response and active response and analyze common active response technology, discuss the characteristic and limitation of automatic response technology then put forward the corresponding improvement suggestion and we analyze the response cost. Intrusion event classification is the foundation of the intrusion response .In this thesis, we also discuss the categorised method of the intrusion event and propose a multi-dimension response-oriented intrusion event classification model based on the incident response methodology. The model use time, attack technology, weakness type, attack result and attack object to describe an intrusion event . And then we combine the model and response cost method to build a response policy-making model.Finally, we implement an automatic intrusion response system based on Linux .It isdifferent to passive monitor mechanisms of traditional IDS, this system can intercept packet in real time and then detect intrusions , respond according to the results of intrusion detection and cost analysis at the end. This system realize packet filter and the response cost analysis with the object which should be protected. This system build on the Linux bridge , Netfilter frame and Snort detection engine .Linux bridge transmits the data between the home net and extranet. Netfilter submits original data to detection engine and execute the response action. Detection engine inspects the packet . The whole system includes four modules: data capture module, detection module, response module and management module. The develop environment is RedHat Linux9.0, C , Libipq, Libnet, Libpcap .The system has reached the datagram level intrusion isolation basically by the support of Snort detection engine and netfilter frame.