| With the constant complication of network environment and frequent occurrence of network attacks, more and more attention has been paid to network security. The traditional network security technology is primarily on defense; for example, take firewalls as the principal part of security protective measures. However, the firewall is a passive defense technology and has some limitations, for instance, it is powerless for the internal illegal firewall operation. So the protect technology that based on invasion detection receives more attentions. Invasion detection technology is one of the core technologies of network security, it can discover through the analysis of information collected from network and computer system, it can discover whether there is behavior that violates the security strategy and attacked signs. It collects this information from machines that set in some key points of network.Invasion Detection System (IDS) is often classified to host-based IDS (HIDS) and network-based IDS (NIDS). The former discovers attack actions by analyzing data from host system and the later by data from network. Both of the IDS have advantages and disadvantages. HIDS is mainly used to protect important host or server and NIDS is mainly responsible to detect and protect entire network segment. HIDS and NIDS can complement with each other to provide more comprehensive security protection for network.We design a Distribute Intrusion Detection System, which combine the network-based IDS and host-based IDS into a system. It can analyze data stream from host detector and network detector at the same time. The host detector and network detector is often dispersed to some key point of the network to collect data stream. Because of this structure this system has more data source. The HIDS is used to protect files, registry, IIS and so on. In the implement of NIDS, the combinations of network protocol analyze and pattern match technologies are used, effectively reduces the match scope, enhanced the detection speed.In addition, the system uses the central management, so that the examination data which the host detector and the network detector produces can be collected to the control to provides information for the next step of invasion analysis. Console manages every detector by graphical operation interface and can retrieve the log,... |
PDF Full Text Request