A Kind Of Mixed Intrusion Detection System Based On Protocol Analysis

The problem of network security has become a great threat to the application, management and development of computer network; the more frequent the occurrence of network intrusion, the more loss of people and our society. Under such circumstances, intrusion detection system emerges as the times require, which is a new kind of security safeguard technology after the application of conventional network defendable technologies such as firewall, data encryption, accessing control etc. Intrusion detection technology acts as a kind of active network defendable technology, which provides our system with real-time protection against inner attacks, outer attacks and misuse of operation. It can not only detect intrusions from the externals, but also supervise the unauthorized operations of the inner users.With the emergence of high bandwidth network technologies, IDS is now facing tremendous challenges: How to assure that the IDS process and analyze large numbers of data packets timely and efficiently; how to reduce or avoid the loss of data packets; how to increase the self-defending of the IDS against attacks; how to improve the accuracy and efficiency of our system at the same time. These are the problems remaining solving in the field of the IDS.This article mainly discoursed upon the design and realization of a kind of intrusion detection system based on protocol analysis by ways of studying and analyzing the correlative background, intrusion detection technologies and the protocol analysis of intrusion detection, which aims at the settling of the problems of IDS mentioned above.The main work of this article is as followings:1) Design of framework of the distributed intrusion detection system, into which integrated both HIDS and NIDS, analyzing not only audit log and system log, but also raw network data flow; this kind of framework can detect all-around intrusions and attacks against our system. In this system, the subsystems of the lower layer could finish its detecting tasks independently, which could not only avoid the low detecting efficiency of centralized systems, but also lighten loads of the main-control-subsystem. The unattached running of each subsystem could eliminate the problem of single-point lapse. The adding of new HIDS subsystem or NIDS subsystem needs just a register to the main-control-subsystem, which shows the flexible deployment and good expansibility of the system. The main-control-subsystem monitors and controls the running of the whole system globally, detecting all sorts of more complicated intrusions and attacks; the invalidation of the main-control-subsystem will not influence the functions of the lower layers, so does the invalidation of one of the subsystems of the lower layers.2) The design and accomplishment of an efficient and transplantable distributed data-capturing-catcher.The replacement of centralized data capturing with distributed data capturing increases the efficiency of data-collecting a lot.3) The design and realization of the distributed network intrusion detection subsystem, which utilized load balance technology based on types of application...