Research And Implementation Of The Network Security Audit Model Based On Agent Technology

With the development of computer networks and the popularity of computer applications, network and network information security issues are more and more seriously. Currently, network security researches are mainly concentrated in access control, data encryption, firewall technology and intrusion detection technology, while ignoring the management control and auditing user's actions within local area networks(LAN) whose security problems occur more frequently. As the third line of defense after the firewall and intrusion detection systems, security audit technology could realize the security events tracking, recording and reconstruction of the host computer and the internal network to improve the internal management intensity and protect the overall security of the LAN effectively.At the present time, network security audit system based on log analysis is one of the main research directions, and how to improve audit efficiency is a hot research issue. However, with the increasing number of the network scale and the multi-log sources, the traditional centralized audit structure is confronted with the issues of consuming more network resources and heavier burden of audit center, which means that the structure is not conducive to improve the audit efficiency. Therefore, recur to the autonomy, intelligence, collaboration features of Agent technology, a network security audit system based on Agent technology is built in this paper, and the major research work is as follows:1. The designation and implementation of the distributed log data collection.The data of host system logs, security logs and network packets in LAN are collected and processed in real time by using Agent technology. Combined with the analysis of multiplex data sources could solve the inaccurate audit issue which brought by just analyzing a single data source so as to improve the overall level of audit analysis.2. Improve the traditional association rule mining algorithm and entropy detection algorithm based on sliding window, which can be used to dig out or improve audit rules, thereby improve the update intelligence of the audit rules in audit analysis Agent.In the system, Apriori algorithm based on support–confidence degree framework is applied to dig out the connotative rules of users' actions. However, this algorithm has the flaws of higher I/O costs during it scans the database and generates more candidate itemsets or others, all of which reduce the search efficiency for maximal frequent itemsets. To solve this problem, a strong association rules generation algorithm combined with the sorted matrix is proposed, which only needs to scan the database once and generates fewer candidate itemsets. The rules dug out by the new mining algorithm could be added into the rules database, so it could solve the problems of audit rules' generation or updating automatically.During the network packets analysis process, the entropy detection algorithm based on sliding window is used to detect UDPFlood, SYNFlood or other DoS attacks in real time. This method could avoid the false negative or false positives problems which brought by using mathematical statistics detect methods, and improve the intelligence of audit system.3. The designation and implementation of network security audit system based on Agent technology.According to the actual LAN environment, Agent entities with different functions are designed and implemented: data collection Agent, audit analysis Agent, Management control center Agent and the client Agent, etc., which are distributed in the gateway server or other network nodes in LAN. Achieve the distributed collection of multi-data sources by using data collection Agent; then, apply the association rule mining algorithm and intrusion detection algorithm to dig out and improve audit rules so as to improve the intelligence of audit analysis Agent; at the same time, Socket-based communication mechanism implements the synchronous connection and data transformation between Agents, therefore Agents on the server-side could achieve remote audit function by analyzing the screen, mouse or key data uploaded, which could protect the overall network security.The model proposed in this paper could solve the traditional security audit system deficiencies to some extent, and the related audit analysis methods researched and improved are applied to the system which could improve the intelligence of audit system effectively.