Implementation Of The Scanner Technique Based On CVE In Intrusion Detection System

With the related applications of computer network resources becoming more and more important, intrusion activities, which threaten these applications, have become one of critical problems to be resolved. Intrusion detection is a kind of new security technique, apart from traditional security protection technology, such as firewalls, data crypt and so on. Intrusion detection system recognizes and responds to malicious using behavior of the computer network resources. It detects not only the intrusion from the external hackers, but also the unauthorized access by the internal users.At present, the detection origin of main incidents of most signature-based intrusion detection system is from network message detection engine and host machine log detection engine. This causes the intrusion detection system do not understand the situations of their protecting network, and the incident detection ability of intrusion detection system relies on completeness of the characteristics database, the accuracy of signatures and analysis capabilities of agreement text. These cause the intrusion detection system lacks effective control and management of the false positives of incident.In order to solve the problem of the present intrusion detection system, the thesis studied the technical feature of the present intrusion detection system and scanner, then aiming at the false positives problem, based on the present intrusion detection system, the thesis brought in a scanner module, and applied CVE knowledge base to vulnerability base of scanner module. Then the thesis designed an intrusion detection system, which merged scanner technique based on CVE knowledge base. From the thinking of understanding their own network, the improved intrusion detection system obtained the network current status messages using the scanning technique and updated the configuration of intrusion detection system in real time according to system mode change, which made the rules of pattern matching only relate to the network current condition, then validated alarm accuracy using the results established by scanning to reduce the rate of false positives of intrusion detection system, to a certain extent, also raise the detection speed.