Intrusion Detection Algorithm And Architecture

With the popularization of the network and the increasing attack from hackers, the network security problem has increasingly become more important. As the crucial supplement of the firewall, the intrusion detection (IDS) technique turns to be the focus of present network security field. Now there are still some problems with IDS, such as the high rate of false positive and the high rate of false negative, the slowly speed of detection, taking up a lot of resources and so on.To solve these problems, this thesis analyzes Snort, mobile agents, fuzzy reasoning, optimal search technology in depth, makes innovative and exploratory research on the detection algorithm and architecture of the intrusion detection system. The main results are as follows:(1) The application of fuzzy reasoning Petri Net (FRPN) in IDS is investigated in detail. This thesis modifies the definition of FRPN, adds the weighted factor of each proposition, and revises the reasoning algorithms. The validity and rationality of the modified reasoning algorithm are proved by an example. The fuzzy reasoning method based on Petri Nets is usually taking the minimal value of each truth-value of fuzzy conjunctive proposition, while the truth-value of fuzzy disjunctive proposition takes the maximal value. In intrusion detection system, this fuzzy reasoning method ignores the weight of each proportion in a rule, which makes the inaccurate result. After the introduction of weighted factors, we can consider all the weight of event, makes more precise result of reasoning.(2)The model of optimal search is discussed. The application of optimal search in IDS for rule matching is provided. This thesis divides the rules database into several cells according to the attack type, then allocates the time on cells, maximizes the probability of detection attacks with less-discard packages. In common IDS, the process of rule matching is usually traversing all rules. If using pattern matching in this process, it will exhaust more time and discard more packets. Unchanged the detection speed, the process would choose some rules to match. Based on the optimal search theory, the system makes optimal allocation of the limited time according to known or possible attacks to reduce workload and makes IDS discard less package as possible, thus detectes more attacks.(3) The architecture of the distributed intrusion detection system is studied. The thesis provides a model of DIDS based on mobile agent and snort. It collects host events by host information collector (HIC) and collects network events by network information collector (NIC) and snort. Mobile agent is used to fuse and analyze events, thus improves the accuracy of detection. This architecture can detect not only the conventional attacks, but also the distributed attacks. The use of mobile agents can also reduce network data flow, improve real-time system, and easily manage.