| As an active protection tool, IDS provides real time protection against inner or outer attacks and misoperations, and the ability to detect and respond just before the subject network is damaged.IDSs of single architecture fail to achieve lower mis-warning rate, proper adaptability, convenient management interface, high processing speed or good ability of information correlation. As a result, distributed IDSs (DIDS) came into the focus of the information industry.To resolve these problems, we have designed an IDS, called Distributed Active Cooperative Intrusion Detection System (DACIDS). DACIDS takes warnings from IDSs or information from sensors deployed at different nodes as sources of inputs, and by analyzing these information, it improves the efficiency of detection and the ability to detect distributed multistep intrusions (DMI).This paper begins with a brief of traditional network security methods and the importance of EDS in network security, followed by a short brief of present EDS studies and problems. Based on an analysis of the architectures of existing EDSs, the architecture of a DACIDS is to be given, and main components of it are to be precisely illustrated.The main contributions of the thesis reflect in the following respect: 1, Presenting the method of Modeling distributed multistep intrusionsSome steps of DMI will not bring direct threats to the protected hosts or sub-nets, and as a result they will not be detected by sub-IDSs. So we decompose the scene of DMI into a series of events, which can be observed by sensors, or a series of sub-targets, which can be detected by sub-EDSs. We name them as sub-tasks of detection (STD). DACIDS will check selected events and system status to capture the occurrence of STDs. DACIDS will detect the sequence of STDs and the relations among attributes of STD events .and last We describe our DMI model in extended ABNF. 2, Defining a language for descripting the signatrue of distributed multistep intrusionsBased on the DMI model, we define a XML-based language, named DMI Signature Language (DMISL), to describe DMI signatures and DMI DTD. Format check of DMI signatures described by security administrators or DACIDS clients could be conducted with this DTD. 3, Standardizing data for Cooperative Detection Engine of DACIDSThe formats and contents of warnings and information from different EDSs or sensors vary a lot, so the very first problem of DACIDS is to standardize these data. This paper introduces a modified data model which is also used by Intrusion Detection Work Group (EDWG) tostandardize data in Intrusion Detection Message Exchange Format (EDMEF). And this datamodel is described in XML DTD.4? Improving the efficiency of signature-based network sub-IDSWe also improved the efficiency of signature-based network sub-IDSs by replacing BM algorithm with AC Automaton Matching algorithm to conduct signature matching. This paper introduces the theory of AC Automation Matching algorithm and the procedure of automata forming. Theory analysis shows this algorithm will greatly improve sub-IDS detection efficiency, and experiment results support it.At the end of this paper, we summarized our work and point out the potential future works. |
PDF Full Text Request