基于分布协作式代理的网络入侵检测技术的研究与实现

The Research and Implementation of Network Intrusion Detection System Based on Cooperative Distributed Agent

近年来 ,网络攻击变得越来越普遍 ,也越来越难于防范 .传统的技术如防火墙难于满足目前网络安全的需要 ,一项新的网络安全技术——网络入侵检测技术被提出 ,它能很好地解决其它技术的不足 .但是目前的入侵检测技术在入侵检测的准确性和可靠性上还存在问题 .为此 ,文中提出了一套新的基于分布协作式代理的网络入侵检测技术 .这项技术通过代理的协同工作来阻止本地主机和整个网络的入侵行为 ,并且能够发现入侵者的入侵线路 ,这样就为彻底根除入侵提供了手段 .该项技术通过实践的测试 ,表现出了良好的性能 。

In the last decade, network attacks are becoming more common and sophisticated. However, detecting break in attempts is a difficult task. Making the distinction between misuse and normal use is hard. The traditional technology such as firewall is not enough to solve all kind of attacks. For this reason, intrusion detection technology is focused on network security. Intrusion detection is a security technology that attempts to identify and isolate “intrusions” against computer systems. It complements other security technologies. Generally intrusion detection falls into two categories: Host based and network based. In this paper we analyze the disadvantages and advantages of host based intrusion detection and network based intrusion detection, then presents a new approach that applies the cooperative distributed agent to network intrusion detection. Our prototype application is based on multiple monitor agents that can detect local host intrusion and remote host intrusion cooperatively. These agents should be installed on every key hosts and perform three important tasks which is host based intrusion detection, cooperative intrusion alarm and intrusion event handling. The approach we present can be used to analyze past and future intrusion patterns. After the intruder is detected, several methods can used to break the intrusion, such as killing the process, locking user account and limiting user privilege. User can select the methods according to the intruding grade. Moreover we can break all intrusion along the intruding path by notifying the alert to other relative agents.To demonstrate the usability of our approach, we develop a prototype system on Linux operating system and Solaris operating system, and then test it in real network environment. The experiment result shows that it can not only detect a lot of known intrusive patterns but also cost low system resources and network bandwith. Although it is realized on unix platform now, it is easy to migrate into other platforms as it is independent of system environment. We believe that such a technique can be applied into network security systems.