| Today, network is more and more popular. People use network not only in learning, but also in living and working,people enjoy the convenient and swift that network take to them,but at the same time ,more and more people care about the security,so network security is the first important thing that people think about. The threats have become one of critical problems to be resolved. Intrusion Detection is a kind of new security technique, apart from tradition security protect technology,such as firewalls and data crypt. IDSs watch the computer and network traffic for intrusive and suspicious activities. They detect the intrusion from the extra hackers and the unauthorized access by the internal user. With the development of the technology, Network technology has been highly developed today,the methods that the hackers's attack has greatly changed,they use different ways to do the things,so single IDS can't deal with the situation that the network meeting. The IDSs often lack of interoperability between each other. Different security equipment vendors have their own product standards, which has resulted in different security products can not be effectively communicate and collaborate, and it bring great trouble to safety management. Traditional intrusion detection methods have been unable meet the requirementsIn the article we present an intrusion detection model, based on XML .because XML has a lot of advantage,and the biggest advantage is data exchanges and no connection of platform. It takes the Intrusion Detection Message Exchange Format IDMEF, raised by IDWG, as the standard. And then study the XML messages that used in the modle. In the article, first introduces the XML language and the related technologies, then analysis the intrusion detection technologies and related conceptions, development of intrusion detection technology, distributed technology, analysis their main advantages and disadvantages. And then, we study the IDMEF raised by the IDWG, from the basic information of the IDMEF, the relationship of the IEMEF and XML, and the data type in the IDMEF message,and how to deal with the charactor data.And last,study how to create a XML document ,meet the IDMEF standard,to describe a alarm.Finally,in the last important part of the article, we describe the model in detail:Frist receive the attack information from the IDS,make the messages meeting the IDMEF standard;And then use a similarity way to classify the messages into four categories:finding,scanning,denial of service and upgrade the authority.And then save the different messages in different tables; Then divide the messages into three categories according to the different beweet the time and source address, ect.duplicate and complicated relationship are easy to determine and polymerizatie, so the messages will reduce a lot by the polymerization module. hyperalert was generated by the messages which don'n exist the duplicate and complicated relationship. Finally through the correlation analysis module,to identify potential relationships to expand the rule base.The Intrusion Detection Model, based on Intrusion Detection Message Exchange Format,use the XML document to transport the alarm, have several advantages: Frist,the module can rapidly polymerizate the messages by a classified way; second ,through the sorrelation analysis module ,we can find the potential relationship between the attacks so as to extension the rule base. |
PDF Full Text Request