| Now that network security becomes even more sophisticated, security technologies require both quick, accurate detection of known attacks and identification of unknown ones, what's more, prompt and accurate response is essential. Accordingly the concept of IPS substitutes for IDS. But single security method can't accomadate the situation, cooperations among various security methods leads the correct way.The existing security technologies have some inherent disadvantages: Firewalls can merely prevent exterior and limited types of attacks; IDS is born to supply afterward protection against already known attacks, but lack of the ability to specify unknown attacks, meanwhile the M/P ratio of which is high to some extend; Honeypot (honeynet) is lack of valid detection methods, and at the risk of being detected and made use of by attackers,which should leads to tradeoffs between previledge and control of data access.After an analysis of these disadvantages, some corresponding attacks are introduced, such as fragment, Trojan and backdoor, DDoS and BotNet, which are the main issues of current network security. Although some of these attacks can be dealt with by the promotion of current security technologies, a better solution can be achieved by the cooperation among different security technologies, which leads to the concept of IPS. IPS mentioned in this paper is consisted of firewall, IDS and honeypot (honeynet), which aims at making advantages of all these security technologies via cooperation.A common communication protocol is essential during the cooperation. An integrated communication protocol mainly includes: selection and representation of communication objects, reliable communication channel and secure communication process. Now some specific protocols are put forward, among which CIDF is the representative. After some disadvantages of this framework are discussed, a common communication protocol is proposed which aims to accommodate the cooperation within and among IPSs.Different from the existing protocols, a multi-layer model is applied. The whole communication process is divided into two layers: commucations inside different IPS modules and cooperation among IPSs. The former is based on GIDO events, while the latter is based on detection rules; the former is macroscopical, while the latter is microscopical; the former emphasizes on the speed and bandwidth of communication, while the latter focuses on the reliability and correctness of communication.The realization of IPS is not the main issue of this paper. Assume the communication object is auto-generated, an algorithm is proposed to solve the muti-judgement and rule-merging issue during the communication, which is also carried out under some specific circumstance. |
PDF Full Text Request