Research And Implementation On Key Technology Of Distributed Intrusion Detection System

With the inclusion of Internet into national strategy and the rapid development of network and computer technologies,Internet has fully involved all aspects of our life and work and information security is confronted with unprecedented threat.Most of Internet-based applications and data are distributed in different networks and areas,and face more distributed and more complex intrusion attacks thereof.In such a context,intrusion detection technology and distributed intrusion detection have to conform to higher requirements.This thesis analyzes intrusion detection and key technologies in a distributed intrusion detection system,and improves items which cannot meet current intrusion detection requirements.At the end,a distributed intrusion detection system is designed and developed based on the analysis,research and improvements discussed in this thesis.For main analysis and research:(1)The distributed intrusion detection system and its different system structures are analyzed,to lay a reference foundation for later structural design plan for the distributed intrusion detection system;(2)Two key elements in distributed intrusion detection are analyzed: BEEP-based communication protocol and intrusion detection message exchange format(“IDMEF”).BEEP protocol is analyzed in order to provide technical support for the design and implementation of BEEP communication components of the distributed intrusion detection system.Meanwhile,the analysis based on IDMEF indicates its deficiencies and lays a foundation for improvement and innovation of IDMEF here.(3)This thesis deeply analyzes common multiple pattern matching algorithms in misuse intrusion detection,and compares the functions of various algorithms by experiments,to lay a theoretical and experimental foundation for future improvement of intrusion detection functions.For improvement and innovation:(1)According to the analysis on IDMEF,this thesis describes the deficiencies of IDMEF and improves IDMEF and designs a new IDMEF format version—IDMEFNew.Furthermore,a plan for JSON replacing XML is developed and designed for newrequirements and trends of data exchange in current Internet applications.(2)Meanwhile,Avro-based IDMEFNew encoding components are designed and developed in order to deal with transmission of large amount of data,achieve future docking on data exchange with Hadoop,a big data platform,and allow the system to conduct intrusion detection and analysis by big data technology.This thesis designs and develops a distributed intrusion detection system according to its previous analysis and experiments.The intrusion detection of this system is implemented by means of Snort,the open source software for misuse intrusion detection.As for the system structure,intrusion detection components are made independent and a separately operational node manager is added,according to the distributed ideas of Agent.The communication switching protocol of this system is concluded based on BEEP protocol.For data exchange format,the improvements for IDMEF therein are used and Avro IDMEFNew encoding components are designed and developed.