Research And Implementation Of Cooperative Intrusion Response System

With the rapid development of network and information, security problems become more and more important. As the frequency of network security incidents, incident response has been focused on against a large amount of network attacks, intrusion detection system(IDS) reached a high level of sophistication and can detect intrusions with a variety of methods .Unfortunately, the majority of intrusion response systems react to attacks by generating reports or alarms. System administrators neither can keep up with the pace that an EDS is delivering alerts, nor can they react upon these within adequate time limits. The slow response to multiple attacks may end up with serious damages beyond recovery. Manual response to computer attacks is inadequate by itself. Automatic responses systems have to take over that task. In case of an identified intrusion, these components have to initiate appropriate actions to counter emerging threats. On the other hand a firewall can determine which traffic is allowed in and out of your network, based on predefined rules, but there lacks interoperability with firewalls and IDS.In this thesis, the various intrusion response systems are firstly categorized and studied. Based on the summary of related studies, this thesis presents a common framework for the cooperative automated intrusion response system. The system is mainly built with three functional blocks: the intrusion detection component, the response decision component and the control center component. The intrusion detection component can reduce false ratio and negative ratio through alert aggregation and alert correlation upon raw alert. The response decision component analyzes the alert response time and response measures. At last the control center can decide which right measure to implement. For example , dynamically Modifying the Firewall rules, send Email to the security administrators .Thus we can defend the attack more effectively and protect our network better.At last the experiment shows that the system could fulfill the objectives, that is, lower false alarm ratio and higher response ability.