Intrusion Detection System

As an important security technology, Intrusion Detection System (IDS) is used more and more widely. Storage-based Intrusion Detection is one of the most important parts in the intrusion detection field. The aim of Storage-based Intrusion Detection is to detect unauthorized intrusion as quickly as possible by analyzing the operation data collected from storage devices.Attack model and analysis method are two important aspects in storage-based intrusion detection system research and therefore become the focus of this paper. The research mainly involves building attack pattern automatically based on decision classification tree; detecting abnormal behaviors fused multiple data features using the D-S Evidence Theory; and coordinated protection among different types of IDSes to improve the detection ability, accuracy and efficiency of Storage-based IDS.The main achievements of this thesis can be summarized as follows:1. An algorithm of decision classification tree generating algorithm is proposed. Based on the model and the algorithm, the method of attack pattern automatically building is given.Attack model is one of the most important elements in misuse detection, and can decide Storage-based IDS performance. Based on the theory of attack model, the extended attack tree model is presented, aiming at describing attack exactly. Moreover, the model can be reused and shared. Based on the model, the algorithm of decision classification tree generating is presented. Experiments are given using the dataset of storage operation collected from stimulated experiment to verify the effort and efficiency of the model and the algorithm. 2. Six groups of light-computation features of storage operation data are proposed. A storage anomaly detector fusing these features based on Dempster-Shafer (D-S) evidence theory is presented.The detector fuses multiple features of storage operation data to decide whether the flow is normal, and by such fusion it achieves low false alarm rate and missing rate. Furthermore, six light-computation features are used to develop an efficient fusion mechanism to guarantee high performance of the algorithm.3. An inter-IDS at various levels collaboration method is proposed.Collaboration among different IDSes can construct a united defense model and therefore increase the security of whole system. The collaboration method proposed here simulates acquaintance relation in human society. The collaboration can be implemented in two ways. On of them is sending the intrusion information from the victim to the attacker and asking it to stop further attack. The other one is sending alarm from one IDS when it finds some novel intrusion to its acquaintance IDS.In addition, according to characteristics of IDS, the framework and architecture of Storage-based IDS are discussed in this thesis. Experimental data are collected and analyzed. At last, the models, algorithms and methods presented in this thesis have been further verified in designed experiments.There are still many aspects of the storage-based IDS technologies and relevant technologies need to be discussed and researched. The work of this thesis is only simple attempt and further research is needed.