Distributed Intrusion Detection System

Along with the popularization of Internet, continuous increase of forms and importance of applications based on network, the need to insure security of computer systems has become more and more essential and challenging. Nowadays, many kinds of static security technologies, such as firewall and data cryptography, have been mature. However, they still cannot meet the requirement of finding out the incursion initially and prevent the attacks from crackers. Therefore, experts proposed the theory of intrusion detection. As the base of dynamic security technology, it finds out the intrusion actions and provides appropriate response referring tracks and rules of intrusion. It is a fair initiative network security system.From the proposal of the concept of incursion detection till now, security experts have proposed kinds of detective models. For example: in the aspect of searching data, there are systems based on network and hosts; in the aspect of analysis methods, there are methods of abusive detection and abnormal detection; in the aspect of detection time limitation, there are real-time system and aftermath system and so on. However, many current detection systems practically have a number of defects such as bad expansibility; being unable to adapt the modern high speed, encrypted switch network; imperfect analysis engine; being unable to adapt the cooperative and multiple steps forms of attacks from crackers; low speed of detection; the detection lag attacks and so on.To overcome the above defects, the method of distributed system has been used in intrusion detection design. Compared to integrative designed method, distributed method can make every part more perfect and more flexible. The system is composed of three parts: the agent of data collection, the analysis engine and response system. The assignment of agent is very flexible, capable to collect network data and host data according to the command; applicable to various platforms. The analysis system adopts the models of expert system, guaranteeing the high speed and accuracy of system. The response system can set various kind of response according to needs.First in the article, the definition, importance and methods of intrusion system are introduced, then the design and testing of the distributed detection system modules are proposed systematically. In the design, some new technologies are used, such as netflow normalization to avoid multiple meanings of data report; quick matched algorithm of AC_BM; MD5 data abstract algorithm to check the integrality; dynamic methods to upgrade detection system knowledge base and so on. Because the system design adopted the status convert analysis of higher abstract layer, to some extent the system processes the automatic function to detect new attack methods although it is based on abusive detective technology. In order to detect the combinative, multi-step and multi-layer intrusion method of modernizing series of attacks is used. Because intrusion has its own rules, the modelization method is able to forecast the impendent incursion. To realize automatic response, a method that utilizes SNMP protocol datagram to control network devices is used.In the disposal of audit data, a method in which the agent format eventobjects according to the lETF's classification of intrusion is used. As for analysis engine, the flow of event objects combined with current status triggers the expert system.