Research On Service-oriented Model Of Distributed Intrusion Detection System

Current distributed intrusion detection systems always be deployed in a settled way, and can not keep up with the increasing size of modern Internet. They also have drawbacks such as single-point failure, high response latency etc. In order to have extensibility and lower response latency, P2P technology can be used to connect security components. But using P2P network to connect all components only will make one node have too many peers to communicate and they can't cooperate well with each other.In order to solve these problems, service-oriented concept is used in DIDS, and a service-oriented self-organizing model of DIDS based on P2P network——SODIDS is proposed.SODIDS can be deployed in a large-scale network by using a multi-domain cooperation method. First, in order to avoid invalid connections and make the cooperation more efficient,we analyze existing intrusion detection technology and use a coarse granularity and loose coupling method to divide security services. A simple service model is proposed. Security components use it to choose cooperators and self-organize a DIDS. Second, in order to make the system be organized more quickly and have lower response latency, a multi-layer P2P network is proposed. Security components use it to search service information. The multi-layer P2P network doesn't allow all components to build the index layer; instead it calculates all nodes'index capacity and only chooses some of them. A layer-balance factor is used to control the performance of index layer. At last, in order to make it convenient for the interaction of security components, the system's intrusion detection is based on basic security event. And an implementation of network-based security event detector is given.The simulation shows that by carefully choosing a layer-balance factor, we can get lower latency of successful lookup, and improve the efficiency of service lookup procedure. According to this, the system can be organized more quickly and have lower response latency, which can reach the designing goal.