IAP Protocol And Its Application In The Intrusion Detection System

The successful application of TCP/IP Protocol has connected the computers all over the world and the network together,and formed a open-up global network system——Internet. But the security state of the Internet is not optimistic. As the development of the Business,E-government and Finance in different fields,more and more participants who have different backgrounds and different motivations have joined in the environment of the Internet, in the real society,all kinds of criminal behaviors have been occurred constantly,and the Internet is not the original one any more, whose main goal is education and research. Now the Internet has become the main attack object in the network,in fact,the speed of its security holes have already much faster than the the increase speed of the network.As the development and the application of the information and technology ,Information security has become a more and more important aspect. It's contents have been extended constantly,from the original contents what is information confidentiality to now what are Information integrity, availability,controllability and non-repudiation , and also has developed much more contents ,what are attack,defense,detection,control,management and assessment,which are the basic theories and implementation of technologies.The study of information security has been developed with the popularity and development of the computer,the complicated security state of the network also plays a very important pole to the development of the research information security . The study of firewall,intrusion detection system and cryptography have progressed vigorously,in this paper,the main content is the intrusion detection system(IDS).the IDS monitors some informations of the computer system,and analyzes them,detects the intrusion activities,then makes corresponding responses. The informations which IDS detected are system logs,network traffic,application logs and so on. The definition of Intrusion are the activities that any unauthorized user who use the computer and the legal use who misuse the computer, damage and try to damage the source's integrity, confidentiality, availability .The IDS is the hardware and software which carry out the function of the intrusion detection. The IDS is based on such a assumption,what is there is quite different aspects between intrusion activities and normal activities,so the intrusion activities can be detected. The study of the IDS started in the 1980s,and in the 1990s,the IDS has become the focus of the research and application,in this period ,there are a lot of research prototypes and commercial products. The IDS is the supplement to intrusion defense system to function, but it is not the substitution of the intrusion defense system. On the contrary,the IDS cooperate with all these system, detect the attack activities which maybe escape from the intrusion defense system. The IDS is the second line of defense of the computer system security and the network security.Because of the complex of the network,in order to find out the attack accurately, among the components of distributed intrusion detection system,different IDS systems,we need to exchange the alert. So we should use the network protocol to finish this job. The first communication protocol in this field is IAP protocol. IDWG had announced the protocol"draft-ietf-idwg-iap-01"at 2000.1,which described the IAP protocol in details. Intrusion Alert Protocol is among different elements of the IDS,especially change the alert among the sensor,analyzer,and manager in the application layer. IAP is independent from data expression,and ensures the integrity and security of data transmission, all these promise related data can be transmitted in the high speed IP network. As the underlying transport mechanism,IAP can be used in many IP service. In the reality of this system,IAP is used to support transmitting the alert from the sensor which used to detect the intrusion and analyzer to the manager,but the security of IAP is realized through TLS handshake agreement.The lower layer transmission module of co-detection is realized by C programming language. It provides a interface which used for the upper layer to call. The design idea is depend on IAP and TLS. It can be use on the TCP protocol ,and uses TLS 1.0 as its the security certification base.The data transmission of lower layer can be divided into four parts: Protocol Setup,Security Setup escape,Secured data transport and Termination。(1) Protocol SetupFirst ,both the server and client create a ordinary TCP link through socket. Then ,both sides exchange some transmission parameters which were produced when the IAP link is created in the form of"request_response". At the beginning,the client sends a"iap_connect_request"request command to the server, then the corresponding IAP server send a"iap_response"response, according to whether accepting the link,we set up different state parameters in the"iap_response".(2) Security SetupAfter finishing the initialization of the protocol,we use a pair"request/response"to finish the security update of transmission link. After the client receiving a"iap_response"command,the client sends a"iap_upgrade_request"command. At the same time,after sanding a"iap_response"command,the server is waiting for"iap_upgrade_request"command, if the server dosen't receive the escape command or other command in the limited time,the link will be broke off. If the server has received the command,it will send a"iap_respons"command. If the server accept the security update, there will be a TLS handshake between the two sides. When there is a TLS handshake between them ,the client will query the certificate to make sure whether it is exited or not .first. If the certificate has been exited, then verify it to decide whether the certificate can be believed. Then the server do the same authentication to the client,too. If the authentication is also successful this time, the whole initialization and security certificate have been accomplished, then, the security communication channel between the server and the client can be used to transmit the alerts.(3) Secured data transportAccording to specific message format ,the alerts which have been encoded Abstract is sent from the client to the sever. The data being transmitted is encode with XML .(4) TerminationBoth sides of the connection can break off the link,in the normal format"close_notify".This paper is based on the structure of IAP and the standard of iap0.3 protocol.The paper designs and realizes a function lib of IAP protocol, the developing environment of function lib is based on GNU/Linux operating system——ubuntu,the developing language is C programming language. The function lib realizes some functions in the protocol standard, from the creation of the connection , the transmission of the data to the disconnection of the link. This paper just realized the content of the IAP protocol standard ,but the IAP proxy function .