The Study And Implementation Of Distributed IDS Key Technology

With the globe's information waves, information has become the main motivator to social development. Network has spreaded all over the world. However, the information brings more and more serious problems in security. Furthermore, owing to negative effects of network, information security has become a worried issue which is concerned about by all countries.Intrusion Detection technology is the key of activiated defense technology. However those faults such as high fault alert rate, lack of inter-operation ability, lack of overall profile and alert correlation, have held back the development and application of IDS. In terms of these issues, the thesis gives an eye on such main technologies as IDS's evaluation criteria architecture, alert's Urgent Degree (UD), alert-correlation and so on. The focus of this thesis is:1. In terms of the status of IDS's study, a 3-dimensions evaluation Criteria Architecture is presented, and the definition of criterions and model are also put forward. This model uses quantifitive methods, and makes reparation for the shortages of Criteria Architecture in existence. This production of this thesis provides a precondition and foundation for IDS evaluation.2. The definition and model of Urgent Degree are presented, and the application case is given. This model considers such factors which can influence the Urgent Degree as the alert times, the elapsed time and so on. In addition, the direct factors and the indirect factors are also considered.3. Urgent Degree application in the unified alarm format. Based on the AISM model, the ABAIM model is proposed. This model is compatible with IDMEF, and contains the information of UrgentDegree. Furthermore, this model has better expression.4. Based on the CRIM, the frame of distributed IDS's alarm correlation is proposed. The thinking, model and implementation of alert correlation are given. And the key-arithmetic is implemented.Productions of this thesis have been applied in National High Technology Research and Development Program of China (863 Program"the Network Security Monitor and the Warning Technology", No: 2003AA142010), and make foundation for the pass of middle examination of 863 experts.