The Research Of Distributed Intrusion Detection System Architecture And Alert Fusion

Intrusion detection technology is an important research field in the network security. With the extending of network scale and the increment of attacking method, distributed intrusion detection system has become a hot topic in intrusion detection system research. The architecture and key technology are the main parts of this dissertation.A four-layered DIDS architecture of model is presented in this dissertation according to the principle and goal of system design. This model extends the logic layered model of IDS and has the ability to generate the global alerts.The architecture of DIDS adopts tree-topology, in which the mechanism of node register is an effective way of adding the new node to IDS legally and securely. The procedure of the node register and session contains four parts, such as session register, secure session establishment, session control and session log-out. The secure characteristic in the session mechanism of node register are discussed as follow, Register and session control are implemented by CA authentication protocol and Heartbeat message. The establishment of secure session and log-out are based on the BEEP (Blocks Extensible Exchange Protocol). The Diffie-Hellman protocol is used to negotiate the key in the secure transmission process (STP) and time stamp is added to in the key negotiation process in order to enhance the abilities to resist replay attacks. The mechanisms mentioned above can guarantee the validity of the new added nodes and the integrated security of the DIDS architecture consequently.The associating and analyzing layer stands in the core of the four-layered architecture of model. The alert fusion technology in the associating and analyzing layer is studied in order to reduce the false alerts in the IDS system. Firstly, the dissertation has established a model in terms of attacking events in use of XML and extended the system secure state database. Secondly, the implementation of alert fusion module is presented. Detailed explanation is given on the function and the implementation of the three sub modules such as alert clustering module, alert merging module, alert association module. Finally, the alert fusion module is improved. And the decision part and alert feedback line are added concurrently. By this, alerts can be processed in real time, consequently, the real time characteristic of intrusion detection is guaranteed.The final result indicates that this method of implementing alert fusion can reduce falsealerts in intrusion detection and improve detection efficiency.