Based Vulnerability Scanning, Intrusion Detection Technology

The dissemination of the Internet makes people more convenience in the work and life. However, kinds of attacks from Internet increase quickly and the techniques of attacks are more advanced. As the important infrastructure to protect and audit the inner network, the Network Intrusion Detection System (NIDS) must update detection technique to find more attacks in this instance and protect the security of inner network users.Now, the mass of NIDS distinguishes attacks by the matching feature of packets. So the rules of NIDS are more and more. The course of matching is complex. As the bandwidth of network increases very rapidly, NIDS often lose packets. Now many hosts have been installed more secure Operation System, plenty of attacks, which aim at old OS vulnerabilities, lose their work. However, because of these useless attacks the NIDS produces a number of alerts with no signification. Large of these alerts submerge the useful alerts that is produced by the attacks in allusion to OS vulnerabilities. This instance make security manager to determine hardly which alerts are imminence and dangerous.This paper introduces the principle of NIDS and vulnerability, and analyses their program flow. We can integrate the two techniques by scanning the inner network or hosts. Vulnerabilities of each host will be found. Distill some effective information; check each rule of NIDS and mask the one of no correspond to vulnerabilities of hosts. It will ensure the NIDS to not only detect effective attacks but also improve the NIDS work efficiency. At the same time it will reduce the number of alerts and decrease the intension of security manager and improve his work efficiency.We also design and realize the modular which can converse the alert to uniform standard IDMEF form that make it integrate into distributed intrusion detection system conveniently.This paper does some experiment on testing the integrated system by using the MIT Lincoln laboratory data sets and the real data from the point of Chinese Academy of Engineering Physics (CAEP) accessing Internet. We test four indexes: the ratio of masking rules, the ratio of decreasing alerts, the ratio of detecting efficiency and the ratio of losing packets. The results indicate that it can decrease the detecting rules and useless alerts after masking large of redundancy rules. In the high-speed network, it can also improve detecting efficiency and reduce packets loss.The data sets from CAEP are the complementarities of that from the Lincoln laboratory effectively. The Lincoln data sets are old and the kinds of attacks included in them are also few. So many new attacks are not showed in the Lincoln data sets now. However we collect...