| With the interconnecting of computer systems, especially connecting various computers together by Internet, it expands greatly shared space and time of information resource and raises its utilization ratio. At the same time, it brings challenge never existed before to safety of computer network system. To implement the security policy of system, except the firewall, an effective method is using IDS (Intrusion Detection System) to supervise the network action of users and alert respond. Intrusion detection technology is a new generation safe guarantee technology after the traditional safe protection measures such as "firewall" and "data encryption" etc. It recognizes and responds malice action on hosts and network resources. It can not only detect the invading action in extranet, but also supervise the unauthorized user's activity in intranet. Intrusion detection system is the reasonable supplement of firewall, and helps computer system deal with the network attack. It has expanded the safe management of system administrator (including safe audit, supervision, attack recognition and response) and has raised the completeness of information security structure. It collects the information from several key spots in computer network system and analyses these information, and checks whether there have the action of violation security policy and attack trace in the network. Intrusion detection is looked upon as the second safe door after the firewall, under the circumstances of not influencing network performance, which provides the real-time protection for checkup internal or external attack, mistake operation etc.This article introduces the relevant modules and implementation technology of intrusion detection system. It also analyses in details one kind of intrusion detection systems "Warcher" based on network working in LINUX. It has the structure and function of standard IDS, provides integrated detection and report functions and has good distribution capability and definiteexpandability. After placing stress upon expatiating the data acquiring and analyzing of agent module, relative improvement measure is put forward. Finally the article summarizes present situation and development of the intrusion detection system and forecast the prospect of research work.With the intrusion detection technology developed, the attack technology is also renewed. Some underground organizations have regarded how to avoid IDS or attacking IDS as emphasis of study. Development of switching technology and communications through encrypt channel make data acquisition methods from a shared medium LAN section insufficient. While large communication traffic put forward new demands to data acquisition and analysis. As far as the author is concerned, there are several main directions of the intrusion detection technology:1.Framework of distributed intrusion detection and general intrusion detection: Limited to single host or network framework, traditional IDS is obviously insufficient to different operation system and large-scale network. Different IDS do not work consistently. To resolve the problem, there are demands to develop framework of distributed intrusion detection and general intrusion detection.2. Intrusion detection of the application layer: Much invading data only can be understood at the application layer. The present IDS can only detect the general protocol like HTTP, which can not deal with other application systems such as Lotus Notes and database system etc.3. Intellect intrusion detection: Invading methods becomes more and more manifold and synthetic. In spite of neural network and the genetic algorithm has applied in intrusion detection technology, it is only some trial research work, still needs to research further to Intellect IDS with the purpose of solving its self-learning and self-adapting ability.4. The evaluation methods of intrusion detection system: User needs to appraise multitudinous IDS. The appraised parameter includes effective areaof IDS, the system resource occupied and self-... |
PDF Full Text Request