Research On Distributed Intrusion Detection System Based On Mobile Agent

With the increasing demand on Internet security, traditional firewall and intrusion detection technology based on single computer can not meet the demand on intrusion defense, and distributed intrusion detection technology will become a critical research direction. However, traditional distributed intrusion detection models have some disadvantages, such as higher network bandwidth comsumed by transferring data, longer response time, poorer scalability and single point failure problem. On the other hand, as the newly rising technology in current computer science field, mobile agent technology bring revolution to distributed calculation because of its character of transfer and autonomy. With the development and application of intrusion detection technology, mobile agent technology will be increasingly applied in the distributed intrusion detection technology.Firstly, some researchment conclusions are reviewed in this thesis. Relevant distributed system, some key technologies and the basic conceptions and system configuration of mobile agent are introduced. The advantages of mobile agent technology introdued in intrusion detection are concluded, and current typical mobile agent system is analyzed. In the model proposed in this thesis, network is divided into domains. A mobile agent-based distributed intrusion detection model based on domains is put forward. In this model, the division of static agent and mobile agent reduces the extra network load of calculation auditing data; the division of the domain eliminates the proplem of single-point failure of the system and make the system easy to extend; the cooperaration detection of the whole system divided into each domain management server avoids the disadvantages of intensive calculation load. Based on the detection model, fault-tolerant model and algorithm are improved .when a domain management server is fail, static agents and mobile agents of this domain will join management server in other domain to carry out there mission. It improved the reliability of the system.Current misuse intrusion detection algorithm based on principle inferring FPN is also discussed. To improve the performance of inferring calculation, a new algorithm is proposed. Compared with the current algorithm, it has more popularity and speed. On the base of the algorithm, a improved algorithm based on intrusion alarming threshold value is proposed and analynized.To verify the algorithm, experiments to compare MYCIN algorithm and the proposed algorithms are made. The results show that the algorithms put forward in this thesis have better performance than MYCIN algorithm, and that the improved algorithm based on intrusion alarming threshold value has better performance than FPN algorithm.Finally, through the application of Snort, network data are extracted. Through IBM Aglets mobile agent platform, the prototype system based on the proposed algorithms is carried out and tested. The excution results show that the system can detect distributed scanning ,and that static agents and mobile agents of this domain can join management server in other domain to carry out there mission when a domain management server is fail.