Multi-level Component-based Distributed Intrusion Detection System

Network and information security become to be more and more serious. All of the world are regarding the hurt aroused by hacker intrusion, information leakiness and virus flood as importance. Every country treat information security as national security. So what our national security office to do is to research information security technology more deeply. The Intrusion Detection is a new security technology, apart from tradition security protect technology, such as firewall and data crypt. We are studying intrusion detection today.We design a Component-based Mlti-Level Distributed Intrusion Detection System (CMLDIDS). It combine the network-based IDS and host-based IDS into a system, and provide detection, report and response together. The system is composed of three levels: the first level, Host Detector and Network Detector, Global Detector and Storage Entity are second level, and third level is Central Server.First in this article, we simply introduce the current condition of network security, then the definition, importance and methods of intrusion detection system are introduced. We analyse excellence and disadvantage of current IDS. We give it particularly discuss of the Snort which is used for our designed system. Then design every component of the CMLDIDS in detail and test it in using condition. Last we put forward future work. In designing and realizing the CMLDIDS, some new ideas and methods are adopted. For example, Snort is encapsulated into one part of the Network Detector that ensure nicety and speediness of intrusion detection based on network and Snort can be upgraded promptly including detection character database. Network Port Detection in Host Detector can be used for detecting intrusion in switched network which IDS can not work exactly. In detecting audit data, QST algorithm that work for statistical analysis can make the module of log analysis self-adapted. Many detection methods are available simultaneity for Global Detecion. The data of information about component and detection in Storage Entity is global and consistent. Deploying CMLDIDS become very convenient just because CMLDIDS is based on component and accorded with CIDF. Mlti-level filter which deal with data come from audit information and intrusion event, two levels analysis are useful for distributed intrusion detection.The dependability of system security management is own to the ability of control and intrusion response of Central Server.