Intelligent, Distributed Network Intrusion Detection System

With the rapid development and wide application of computer networks, network intrusion happens more and more frequently and cause more harm, and network security are then more and more serious. Therefore, network intrusion detection becomes a research and development hot spot in network security. And Network Intrusion Detection System (NIDS) is one of the.most important tools to guarantee the integrity and availability of systems and network resources, whose main task deals with identification and prevention of network-based attacks.After comparing in detail the current popular 24 IDSs or IDS prototypes from the aspects of the granularity, methods, and tune of detection, data-collection, and data-processing, we find out the problems in the most of the current IDSs that they are generally platform dependent, inefficient in detection methods, lack intelligent in data analysis, inextensible as the network configurations changed or upgraded, and inadaptive when the new attack methods emerge.According to these weak points, the thesis proposes a new NIDS architecture, and also describes the design and construction of an experimental NIDS called INIDS (Intelligent Network Intrusion Dection System), which performs a real-time analysis on packet traffic sniffed off the network segment using an appropriate mix of expert system for misuse intrusion and data mining technology for anomaly intrusion.The first survival test a packet has to pass is the Expert System, which is based on the well-known attack singantures. The strength of this method is the effectiveness, the speed and precision in detection. This makes up the lower real-tune performance of data muiing where the second test happens. DM can automatically extract the signatures and features without human interference. It can be used in unknown attack detection and decrease the dependence of ES on the detection rule.The new architecture also extends the conception of distribution of NIDSs. Its distribution is showed not only on data-collection and data analysis, but also ondetection method. This innovation can greatly balance the load of system and dramatically decrease the communication between the distributed checkpoints in the detected network and the central management point. Furthermore, this architecture is favorable to construct a heterogeneous and extensible distributed NIDS because it utilizes the object-oriented, language and platform independent features of CORE A.The key issues of the INIDS implementation are investigated in detail in the final three chapters of the thesis, including the communication model, class diagram, IDL description and sequence diagram of key processes. And the details about how to use ES and DM to construct an EDS are discussed deeply, such as rule description of signature-based intrusion, building the class model, clustering model and association rules and their evaluations.INIDS is intelligent in detection, extensible in structure, adaptive in new intrusion and heterogeneous in platform. Our experiments show that it has promising applications in complex interconnected networks.