Research On Agent - Based Distributed Intrusion Detection System And Its Realization

Network-based Intrusion Detection Technology is explored and a Distributed Intrusion Detection System based on Agent, DIDSA is constructed in this thesis.Firstly, Causes of the security problems of Internet, the advantages and the disadvantages of the popular network security technology are analyzed in this thesis. Due to its essential role in network security, research on intrusion detection techniques is of great importance. The advantages and the disadvantages of misuse detection and anomaly detection are respectively analyzed in this thesis. The cost and the security performance of IDS of various architectures are also discussed.A Distributed Intrusion Detection System based on Agent-DIDSA is designed and implemented grounded on the research of Intrusion Detection technology. The system consists of four modules: detector, monitor, controller and communicator.A DIDSA system can be distributed on any number of hosts in a network and each host holds a certain number of agents. Detector, which does data gathering and processing, is the most active component. Detectors in every agent will report their findings to a monitor. Monitor, which is the control unit of detector and responsible for the host-based intrusion detection, will report its result to a controller after reducing the data received from detectors. Monitor, which is the control entity of the transceivers residing in the hosts of the protected network, can be organized in a net fashion.Communication is the key problem in distributed systems, In DIDSA, pipe is chosen as the intra-agents communication way and socket as niter-agents communication way.Detailed implementation of DIDSA system is stated in the thesis. States of entity, message and I/O subroutines that are responsible for transmitting messages are firstly introduced, and then the implement of detector, monitor, controller and communicator is presented respectively.The architecture of DIDSA runs on networking hosts with Unix/Linux operating system. It is competent for the task of host-based and network-based intrusion detection.