Design And Implementation A New CIDF-based IDS

Along with the high-speed development of Internet-technology, thenet-structure becomes more and more complicated, and the net-securitybecomes more and more imported and complicated, complicated. Thedefinition of "Intrusion Detection (ID)"is discovering these intrusionbehaviors. It discovers those insecure behaviors and these attacked evidencesin the net or system by collecting and analyzing the information of these keynods from the net or the system. The definition of "Intrusion DetectionSystem"is the combination of the detection software and hardware. It not onlycan prevent misuse-handle and attack from inside net and outside net, supplythe firewall gap, but also can combine other net-security products, prevent thenet roundly. It possesses active and real-time characteristic. It is important anduseful complementarily for firewall.These nowadays IDS have many disadvantages: they have high false positivesrate and high false negatives rate; their analyze method is single; they can'tassure themselves security; they can't analogy high speed net well, etc. Thispaper try to resolve these problems, after investigated today's IDS. Weadvance a new CIDF-based IDS, by improving the CIDF (Common IntrusionDetection Framework). It has six modules, event generators, event analyzers,event databases, response units, intrusion tolerance module, control center.In a small net, we usually put event generators, event analyzers, etc, on thesame computer to improve the response speed. In a large net, we usually putthem on different nods to cooperate with them.The new IDS improves the intrusion tolerance capacity by adding the intrusiontolerance module based on CIDF. Firstly, the intrusion tolerance module(includes trigger sub-module, data-backup sub-module, data-comebacksub-module) backups the event analyzers'rule library, response units'responsestrategies, the key data of the event databases, the computer's key files, etc tothe data-backup sub-module. Secondly, the trigger sub-module scouts thesewhich are on the computer. If one of these is attacking or destroying, it notifiesthe data-backup sub-module immediately. Finally, the data-comebacksub-module recovers the attacked data or destroyed data and the destroyedfunction after notified by the data-backup sub-module. It ensures IDS offernormal service.The event generators'primary function is gain information from the net andthe system. It includes packets and the log. And it sends this information to...