The Research And Prototype Implement Of Distributed Intrusion Detection System Based On Attack Policy Tree

Intrusion detection is an important technology in the computer security fields, and also it became a focus in the computer security theory. With the development of internet technology, designing and implementing an intrusion detection adapted to the internet environment became a popular topic in the intrusion detection fields. But currently most of IDS are limited to a single host/net infrastructure or center structure pattern, IDS detectability is sick in heterogeneous-configuration or largely scope network environments. To settle these problems, implementing and researching a distributed intrusion detection system to be adapted to the internet environment become a consequential trend. By researching the correlated information and combining with the attack practices, more sensor data fusion is applied to the Distributed Intrusion Detection System (DIDS). In this thesis, a distributed intrusion detection system theory model adapted to the large scope heterogeneous-configuration environment is raised that is distributed intrusion detection based on the attack policy tree (APTDIDS).The main contents of this thesis can be summarized as follows:In Chapter 1 Introduce the intention and goals of this thesis and actuality about this field today, secondly raise the main problem to be settled and main work to be done in the thesis.In Chapter 2 First, introduce the intrusion detection based concepts history, and then described the classification and standard of intrusion detection, at last, import the distributed intrusion detection.In Chapter 3 Analyzed signature of the distributed attack behavior, and raised the attack events.In Chapter 4 First, classified the attack events, and then raised a model of attack events, in the term of IDMEF (The Intrusion Detection Message Exchange Format) standard described the attack events by XML(eXtensible Markup Language), at last described the key fields in the attack event model, and expounded time sequence and logic relations in different events.In Chapter 5 Based on the model of attack events and combined the Tidwell Attack Tree concepts, an attack specification language is constructed. Secondly, Quintan's Decision Trees is used to the Attack Policy Tree Model (APTM), and an Attack Policy Tree Spanning Algorithm (APTSA) is constructed. At last, APTSA is used to forecast the attack intrusion.In Chapter 6 Analyzed and compared currently DIDS infrastructure, A distributed intrusion detection system infrastructure is given, and a prototype is implemented based on Linux.In Chapter 7 Summarized the whole thesis and discussed the research and technical trend of IDS.