A CPN Based Hierarchical Intrusion Detection System

With the innovation of computer network, there comes out complex attacks evolved from simple and individual ones. But in the network security practice, traditional IDS (Intrusion detection system) become challenged by two false negative drawbacks. On the one hand, limited by present IDS architecture and detection techniques, complex attacks are probably hidden in the large amount of alerts and could not be detected effectively. On the other hand, IDS which audits the IP Layer traffics can not reassemble the application Layer data properly and could be evaded by sophisticated attackers.The research work of this thesis carries out according to these two problems above. After analyzing the description theory of network attacks, a hierarchical ID (Intrusion Detection) model is proposed. And we employ detection techniques at TCP layer to restrict the evasion by sophisticated attacks. IDS has been enhanced in three ways: architecture, attack description theory and anti-evasion technique.The prototype system was implemented and applied in"Active Firewall"project.The main contributions include:1) A hierarchical ID ModelThis intrusion detection model employs CPN (Colored Petri Net) to construct complex attack templates. The principles of the model and its hierarchically constructing method are presented in detail. As a solution to the first false negative problem previous mentioned, the attack patterns and its taxonomy are discussed, and a hierarchical ID model to detect complex attacks is drew in detail.2) Colored Petri Net based IDSWith the attack template drew by CPN model, the techniques of transmitting CPN to IDS component is discussed. Based on the analysis of two available CPN automata techniques, this thesis implemented a CPN based IDS prototype, using the Transitions to express detection logics. This thesis also discusses how to choose the key parameters, and summarizes the characteristics of this prototype system.3) The Implementation of Intrusion Detection at TCP LayerTo counteract the second false negative drawback, the IP defragmentation and TCP Flow Reassembling component are developed based on the analysis of Linux kernel TCP/IP stack behavior. It is also discussed that how to apply this detection technique into the development of the prototype system.