| Accompany with the rapidly increasing dependance of the infrastructure of the network is, people is exigent of the demand about the intensity the security and resistance to attack of such facilities. However, More and more new problems of the intrusion detection system come forth with the complication of network, that included: the invasion is not a single action anymor, but put up its concurrent aspect, the weakness and leak of the system is more dispersed than ever, we couldn't detect the invasion event just used a single IDS, the data which IDSs required dispersed everywhere in the internet., its collection become more and more difficulty, the accelerated speed of data and the increasing flux of networks made the primal data management bring problems such as bottleneck. The distributed intrusion detection system is developed just to adapt such situation.This thesis firstly introduces the concept and structure of an Distributed Intrusion Detection System(DIDS). After the introduction, the architectures and key technologies of current DIDSs are analyzed in depth. Based on this analysis, the design of a Distributed Active Cooperative Intrusion Detection System (DACIDS) is presented. DACIDS takes warnings from IDSs or information from sensors deployed at different nodes as sources of inputs, and by analyzing these information, it improves the efficiency of detection and the ability to detect distributed multistep intrusions (DMI).The design and realization of the engine in an Distributed Intrusion Detection System is a part of DACIDS project. The task of the enging engine in The DACIDS project is the correlation of the warnings which producted by local IDSs, and then realized the arithmetic about Distributed Intrusion Detection. The input of the engines is data comes from the local detection subassembly, and the correlation informations from other engines.Before we designed the arithmetic about Distributed Intrusion Detection, we decomposeed the invasion into steps which lead the system form the prime safety state to the insecurity state. To cooperate with such modeling, we use the Extented Finite State Machine(EFSM) to detect the invasion, and the DEFSM is a sort of EFSM that we defined. It was extented from the Finite State Machine(FSM), and was added by variable, the prefixedconditions of the transition between the states, and the operation of the transition. By using the DEFSM We could depict the dynamic action of a series setps of attack more exactly.Because of the large amount of alarm producted by IDSs will increase the pressure of the Cooperative detection engine, which will lead to the problem of bottleneck. Therefore, we deal with the alarms producted by IDSs by clustering, fusing and correlating so that we can reduce the amount of the data that the engine must deal with. In this thesis, we defined an invasion action pattern(IAP) which is based on time, and then fused the alarms by recognised the IAP. This method has been proved to address the problems concerned. |
PDF Full Text Request