The Distributed Intrusion Detection System Design And Realization

In recent years along with the quick developmen of Internet technology,issues of network security becomes of most importance. Intrusion DetectionSystem (IDS), one kind of Firewall's import complement measurement, getsfierce development. It collects data of network key parameters, then looksinto those data in order to determine whether there are any evidences againstthe behavior of security politic. With IDS's help, our computer may beprotected being indepentent of attacks form inner/ outside as well as faultoperations. There are two kinds of main IDS: the Host-Based IntrusionDetection System and the Network-Based Intrusion Detection System.From the rightness according to HIDS and can see according to theanalysis ofthe NIDS,The two have one's own advantages each, and verygood complementation in some aspects. Adopting the invasion detectionsystem that the two combined, that will draw one's own strong point, haveremedied the plan of design of a kind of insufficient each optimization again.Usually such a system is generally distributed structure, made up of a lot ofparts, can analyze the auditing data from host computer system and flowdata information from network at the same time. Distributed IDS will be thefocal point which people study in the future; it is a kind of relatively perfectsystem structure. Have offered the best settlement countermeasure forrealization of the security tactics under the complicated networkenvironment day by day.Compared with traditional invasion detection system has a lot ofadvantages to invade the detection system distributed: Distributed IDS isthat a lot of measures the land to different data sources, adopts differentmeasuring algorithms, measure together, cooperate and deal with, hasimproved the accuracy measured ; But distributed IDS can be used in theextensive network environment; Distributed IDS may use the specialpackage to be punish and audit datum safely, help the system to be producedand invade the rule of measuring and produce and unusually measuremodels ; Distributed IDS analyses the behaviors of a lot of control points incoordination, may measure out and attack distributed in coordination ; Themeasuring of distributed IDS right a certain control point can be regarded asthe early warning of other check points . Detection system that subject develop this adopt based on part to invadethe detection system while being distributed. There are these main parts ofthis system: the memory system, analytical system, responding the system,control cabinet that network engine, host computer act as agent. The network engines intercept and capture the initial data in the networkto wrap up, and from looking for possible invasion information or othersensitive information among them. Host computer act as agent in collectinformation with various kinds of method in host computer, analyze dailyrecord, monitor user behavior, analytical system transfer, analyze networkcommunication, etc. of host computer this. But they have a data analysisfunction, to the known attack, measure and can improve systematicprocessing speeds greatly with the method that the mode match in theseparts, can reduce and analyze the influence that work load and systemnetwork of the part are transmitted too. The function of the memory system is important data, such as initial data,analysis results that are used for storing the incident generator and is caught,etc. The initial data stored offer the conclusive evidence to finding thatinvaders carry on the legal sanction. The memory system is a sharingdatabase of data processing between different parts too, do not offer theeach interested data with the part for the system. So, the memory systemshould offer flexible data maintaining, deal with and inquiry service, at thesame time it is a safe daily record system too. Analytical systems to go on analyze and system punished in unison toincident primitive information, other invasion suspicious information thatdetection system offer that generator catch. The analytical system paysattention to the high-level analytical method, for instance on the basis ofanalytical method, analytical method based on neural network that arecounted, etc. Responsible for attacking distributed at the same time andmeasure. The analytical system is the whole brain which invades thedetection system; the analytical method is the thinking ability of this system.Various kinds of analytical method have one's own advantage anddeficiency, so system analytical method should may the trends change, andmany kinds of algorithms can coexist. It is the subsystem taking the corresponding measure to the invasionbehavior that confirms to the respond system. Respond include the passivemeasure, such as sending the E-mail, news, notifies of a phone call etc. tothe administrator. It can take the protective measure too, such as cutting offthe TCP connections of invader, revises visit control strategy of the router,etc. It can adopt the initiative reaction tactics too, for instance, to go onDOS attacks to the assailant etc., but this kind of method to combat poisonwith poison is not permitted legally. Console is the interface between system and users. Users can configure...