Research Of Correlating Distributed Intrusion Detection Systems Based On The Process Tracking Method

As network environment turns more and more complex, so that the security problem of network and information is becoming more prominent. Intrusion Detection Systems (IDS) is the key link of network security as an important security defense system, which is used to detect the ingenious intrusion and warn the intrusion by a certain alarm. Due to increase of intrusion types, the traditional IDS can not meet the demands. The reasons are as follows:The old Distributed Intrusion Detection Systems (DIDS) are still limited by the inaccurate information that IDS uses for correlation and the inability to discriminating between the heterogeneous alarm information. Therefore, the main purpose of this research is to make a supplement to the DIDS by using Process Tracking (PT), and make a new investigation on Relationship Correlation Model (RCM), in order to solve the flaws of alert correlation that the previous DIDS have.This paper makes some designs and researches on IDS based on the PT. Thinking about the function of network and information system from the program view, by combining network model, mainframe model and behavioral analysis model, it can effectively improve the diction efficiency and decease the false alarm. And the main content is listing as follows:First, we analyze the ways of DIDS, and explore the basis of Correlation method. These includes:Usual ranks, the user's address the type of attack, the content of intrusion alarm, model tool and so on. Analyze the common problems in the old correlation analysis by rechecking the sense and feature of all types of testing index. Then, we make some research on relevant solutions, and deal with the whole network and information system from the Process level. We make a further research on Correlation Analysis Model on the basis of Process Relationship, which is Process Relationship Correlation Model.Second, we make a detailed analysis about Process Relationship Model, presenting all the relationship by Process Relationship chart, and complete the whole operation process by maintaining the search of Process Relationship chart. Third, we design a prototype intrusion system named PRIDS (Process Relationship based distributed Intrusion Detection System). We have implemented PRIDS on Microsoft WinXP System and used three artificial attacks to evaluate its detection abilities. The results of these experiments revealed that PRIDS could efficiently detect all these intrusions.