| The problem of network security has become a great threat to the application, management and development of computer network; the more frequent the occurrence of network intrusion, the more loss of people and our society. Under such circumstances, intrusion detection system emerges as the times require, which is a new kind of security safeguard technology after the application of conventional network defendable technologies such as firewall, data encryption, accessing control etc. Intrusion detection technology acts as a kind of active network defendable technology, which provides our system with real-time protection against inner attacks, outer attacks and misuse of operation. It can not only detect intrusions from the externals, but also supervise the unauthorized operations of the inner users.With the emergence of high bandwidth network technologies, IDS is now facing tremendous challenges: How to assure that the IDS process and analyze large numbers of data packets timely and efficiently; how to reduce or avoid the loss of data packets; how to increase the self-defending of the IDS against attacks; how to improve the accuracy and efficiency of our system at the same time. These are the problems remaining solving in the field of the IDS.This article mainly discoursed upon the design and realization of a kind of intrusion detection system based on protocol analysis by ways of studying and analyzing the correlative background, intrusion detection technologies and the protocol analysis of intrusion detection, which aims at the settling of the problems of IDS mentioned above.The main work of this article is as followings:1) Design of framework of the distributed intrusion detection system, into which integrated both HIDS and NIDS, analyzing not only audit log and system log, but also raw network data flow; this kind of framework can detect all-around intrusions and attacks against our system. In this system, the subsystems of the lower layer could finish its detecting tasks independently, which could not only avoid the low detecting efficiency of centralized systems, but also lighten loads of the main-control-subsystem. The unattached running of each subsystem could eliminate the problem of single-point lapse. The adding of new HIDS subsystem or NIDS subsystem needs just a register to the main-control-subsystem, which shows the flexible deployment and good expansibility of the system. The main-control-subsystem monitors and controls the running of the whole system globally, detecting all sorts of more complicated intrusions and attacks; the invalidation of the main-control-subsystem will not influence the functions of the lower layers, so does the invalidation of one of the subsystems of the lower layers.2) The design and accomplishment of an efficient and transplantable distributed data-capturing-catcher.The replacement of centralized data capturing with distributed data capturing increases the efficiency of data-collecting a lot.3) The design and realization of the distributed network intrusion detection subsystem, which utilized load balance technology based on types of application protocol layer, sending a mass of network packets that had been protocol-analyzed to different intrusion detection engines to improve detection efficiency and solve the bottleneck of centralized detection system.â‘ The design and realization of protocol analysis module, IP fragment recombination and TCP flow recombination. The improvement of data packet analysis by protocol analysis leads to the increase of detection efficiency.â‘¡The design and realization of the distributed intrusion detection engine, which detects intrusion in a distributed way using protocol analysis technology and other advanced technologies. Firstly, the betterment of load balance arithmetic based on types of application protocol layer was done by adding new data of new protocol types and improving the disposal flow of the arithmetic, bringing forward the idea of sending UDP data packets to different detection engines based on their types of application protocol layer; secondly, according to the establishment of TCP connection event, the establishment of UDP 'connection event' is put forward in this article; thirdly, the establishment flow and intrusion detection flow of both TCP connection event and UDP 'connection event' were framed according to different protocol types of data packets and different characteristics of their realization.(3)The amelioration of intrusion detection flow of the system. The Variance Analysis arithmetic is used to detect abnormal data flow of the system while data packets are sent to different intrusion detection engines by load balance technology based on types of the application protocol layer. For every packet sent to one of the detection engines, validity of a single packet is firstly tested, and then TCP connection event or UDP 'connection event' is built based on the packet's protocol types, afterwards the detection of potential and more complicated intrusions and attacks are done exerting some misuse and anomaly detection technologies according to the establishment flow and intrusion detection flow mentioned above.4) The design and realization of Host Intrusion Detection Subsystem. In this article we bring forward the method of detecting raw network data flow with the destination IP address equal to IP of this host, which improved the detection scope, real-time, efficiency of the HIDS subsystem.5) The design and realization of the main control system. After intrusion detection engines of the lower layers send the formatted intrusion data to the main control module, it uses correlative detection arithmetic to check if there were intrusions and attacks aiming at the whole system. Finally, some experiments were done in the LAN and the analysis and comparing were done according to different experiment results. |
