| Intrusion Detection System(IDS) is an important component of computer security architecture, which can monitor malicious behaviors in hosts or networks and generate alerts about intrusions so as to take responses to them. The idea of peer to peer distributed IDS proposed in recent years offers a solution to the efficiency and security problems in traditional distributed IDS.A new Distributed IDS based on P2P structure named PIDS is proposed in the paper, which follows the IDS standard by adopting IDMEF as the uniform format of alerts. We program a class library named JdomIDMEF using JDOM technology as the conversion interface from the various alert formats to IDMEF format, and implement the conversion mechanism of alerts generated by Snort.The communication protocol between peers in PIDS is also designed, various communication messages are expressed in the form of XML. We implement the communication protocol using Java Network API, local and remote peers can exchange their alerts, and configure correlation rules with each other.PIDS contains the function of correlation analyzing for alerts from local and remote peers, which combines three methods: clustering,fusion and causality correlation. Test using DARPA data set indicates that, correlation analyzing could decrease the redundancy of alerts and reveal the causality relation of intrusions.Finally, the paper summarize our work during the design and development, and discusses how to improve the system in the future. |
PDF Full Text Request