| With the development of network technology, especially with widely using Internet in a very short time, network security problems win more and more attention. Because traditional static security model could not adapt to new network environment, dynamic security model (such as PPDR model) can meet more network security requires than the static. What is more, intrusion detection is the key part of PPDR model. Intrusion detection is an active security defending technology, the complement of traditional computer security technology, which can survey and defend attacks both from inside and outside and mistake operations in real-time method. So it already becomes a hot topic in network security research realm.This thesis firstly introduces current network security status and current dominative appoaches of network security defence and points out the importance of researching intrusion detection system. Then it introduces the concept, classification and common model of intrusion detection system, analyses the development situation and shortcoming of intrusion detection system and presents network based distributed real-time intrusion detection system. This system is composed of central management controling and coordianting module and network detecion agents, which is designed and implemented in Windows 2000 environment, uses Microsoft SQL Server 2000 as database server, and uses Microsoft VC++6.0 as main developing tool. This system applies Winpcap software package, configuring network card into promiscuous mode, to collect raw network group data packet as dataset, construts a easlily matching and freshing intrusion rules database and uses mode matching method of misuse detection technology to analyse and match network data. If attacks is detected, intrusion information is submitted to intrusion database and warning response mechanism is triggered according to the attack rank.This thesis try to bring in new princple and technology in rule database definition, attack detection, attack response, communication module and system self security to enforce system management controling and coordinating capacity. Intrusion rules treat reserved key word and value as basic semantic elements. Simple expression syntax is used to automatic response to rules as default response manner. Meanwhile mobile phone short message platform is added, so that manager can communicatewith system in other places. In this case, system possesses unmanned automatic response capacity. Coinciding with completing all kinds of passive response measures, the system also tries to adopt active response manner such as remote interdiction, even warning intruder. Communication module is constructed according to CIDF model, which possesses seamless communication with other network detection agents. Local detection agent is set at locol terminal, which takes charge of attack detection of self local network. The system uses double network cards. The monitor network card used to detect is not allocated ip address, which implement concealed monitor. This system uses TLS/SSL security communication mechanism during communication progress, adopts security authentication thechnology to identify identity, uses encrypt algorithm to implement data security transmission, so that it enforces self security in many aspects.Traversing network test indicates that system is simple and effective, management controling and coordinating capacity is powerful and self security is good, which accords with current network and distributed intrusion detection development trend and has high application value. |
PDF Full Text Request