A New Distributed Intrusion Detection System And Related Issues

Because of the rising malicious attacks against network, there is wide concern of network security. And distributed intrusion detection system (DIDS) is a hot topic in the network security research area. But due to the quick increase of network traffic volume, the analyze engine's compute ability has become a bottle-neck of the development of DIDS.Under such a background, this paper makes a series of studies begin with that point. The research content composes of the following main parts:Firstly, this paper looks back on the history of the development of intrusion detection system (IDS). Then, it analyzes the advantages and shorts of several existing DIDS structures, and proposes a new architecture of DIDS. With the load balancing algorithm which schedules traffic load based on flow, the new system architecture can perform better in the high traffic load network environment. The second chapter is the foundation of the following research of this thesis, because it is made under the new architecture.Currently, load balancing problem in DIDS is seldom studied, but that is a key point in the new DIDS architecture, and it has been researched carefully in the third chapter. And then this dissertation introduces the conception of'average flow lasting time', and develops a new load balancing algorithm based on that, which can be applied in the new system architecture. The simulation testing indicates that this new algorithm works well and balances the load well during the change of either traffic load or topology.IP traceback problem is widely studied by scholars, and in chapter four, this dissertation also researches it in the new system architecture. And it proposes an effective IP traceback scheme based on ICMP messages after the evasion of current traceback schemes. The proposed scheme adds an IP traceback manager (ITM) in the original structure, which is aware of the whole system's topology. The scheme does not require high storage or processing overhead in routers. It can trace back the single packet attacks, while in the meantime, the overhead of network bandwidth and path reconstructing is fairly low. At last, simulation analysis proves that the scheme works well in the new system structure and achieves the expected performance.