The Design And Implementation Of A Distributed Intrusion Detection Architecture

Intrusion Detection System (IDS) is one of the most important ways of securing network systems. However, classical intrusion detection systems are facing a challenging situation with the ever growing network band-width and data transmission rate. Centralized IDS can not avoid the high rate of network packet loss and the heavy load it brings to the accommodating host. Besides, with the rapid use of switches in modern network circumstances, the previously used network sniffer programs can not detect the data traffic between other hosts. So, it's unfeasible to use sniffer as a data collecting mechanism in modern intrusion detection. All the conditions are calling for a distributed way of data collecting and analyzing.In this thesis we propose a distributed intrusion detecting architecture to solve the problems brought by modern high-speed network systems. And data collecting, filtering and persistence mechanism have been implemented with a newly designed protocol suite to ensure distributed communication between different intrusion detection agents. Based on the file-mapping mechanism and NDIS network driver architecture of Microsoft Windows OS platform, data collecting and filtering module has been implemented in the form of kernel mode driver, giving a convenient environment to carry out a much faster data packet capturing while maintain a high efficiency of information dumping. Intrusion detecting module has been implemented in a single kernel mode dynamic link library (DLL), ensuring the independency and replacability of the actual functioning part of an IDS in the future research of intrusion detection algorithm. Data collecting, dumping and analyzing modules are all fixed into a single agent which is an independent functioning entity in physical hosts, ensuring the flexibility and extensibility of the actual intrusion detection. A newly designed protocol suite has been given to ensure the distributed communication between different agents with the Coordinator Election Algorithm being simulated under NS2 environment.The implementation of kernel mode data capturing mechamism base on NDIS intermediate driver and the design of inter-agent communication protocol suite are adventurous trying in the intrusion detection field, and they enrich the means of intrusion detection architecture design while providing a solid platform for the future intrusion detection algorithm research.