Research On Snort-based Distributed Intrusion Detection System

Intrusion Detection System is a network security insurance system that can take action after identifying suspicious behaviors of accessing to networks and hosts. It's a very important means to insure network security. However, how to enhance efficiency of Intrusion Detection System becomes an urgent task just because it gets involved in many complex calculations and large number of monitoring data. Therefore, this paper studies a high-efficiency and layer-based Snort Intrusion Detection System, taking the architecture of Intrusion Detection System as the entry point.According to its functions, this paper divides Distributed Intrusion Detection System into three layers: data collection layer, data analysis layer and decision making control layer, aiming to seek for a method to enhance detection efficiency of Intrusion Detection System. The contents of this paper are listed as follows:For data collection layer, the paper analyzes sensor's working principle, security problems and packets capturing technology, and designs its distributed allocation policy. Especially, it applies packet-analysic-based Load-Balance technology of IDS dataflow into this layer, and studies Load-Balance algorithm simultaneously.For data analysis layer, this paper designs the architecture of data analysis module and its distributed allocation policies, and analyzes the data detection process. Besides, an algorithm of String-Matching named BM algorithm is introduced into this layer. In order to resolve problems of tasks allocation, it also puts forward an algorithm named dynamic IDS tasks allocation algorithm based on resources occupation.For decision-making control layer, this paper studies its architecture and functions of each module.Finally, this paper designsa Distribute Intrusion Detection System based on snort, which fits for the standard of Common Intrusion Detection Framework (CIDF), Presents the key technology and some Ways to solve the Problem in the system.Then designs a test platform of the Distributed Intrusion Detection System by using Linux-based Snort software. The configure items of IDS hosts, servers and analyst-control-consoles are listed in detail. Then, a series of simulated attacks are tested on the platform and the results are checked by using ACID tool.Through analyzing the test results, it proves that the system is available and effective.