

Research on Service-oriented Model of Distributed Intrusion Detection System

【作者】 王阜东

【导师】 李之棠;

【作者基本信息】 华中科技大学 , 计算机系统结构, 2006, 硕士

【摘要】 现有的分布式入侵检测系统多采用固定部署的方式,无法与现代网络不断增加的规模和动态性相适应,同时还存在如单点失效,响应延迟大等缺点。要增加可扩展性,缩短响应时间,P2P网络技术可以应用于分布式入侵检测系统的部件间连接。但是单纯依靠P2P网络连接安全部件,安全部件的连接对象过多,相互之间无法有效进行协作。为了解决这些问题,将一种面向服务的思想引入到分布式IDS的设计中,提出一种基于对等网络的面向服务的分布式IDS自组织模型——SODIDS(Service Oriented Distributed Intrusion Detection System)。SODIDS使用多域合作的方式使系统能够在大规模的网络环境中部署。在服务信息的表示方面,为了避免建立无效的连接,增强可扩展性和易管理性,对常见入侵检测技术进行了粗粒度、松耦合的服务划分,提出了一种简单服务模型。安全部件根据这一服务模型进行自组织,根据服务信息选择协作伙伴。在服务信息的查找方面,为了加快系统自组织的速度,缩短对入侵的响应时间,使用基于ChordPNS协议的层次型P2P技术。层次型P2P根据节点的索引能力选择部分节点组成服务索引层,其余节点通过服务索引层发布和检索服务信息。引入了层间平衡因子来对层次型P2P的查找性能进行控制。在对入侵的检测方面,为了便于安全部件间的信息交互,使用基于基本安全事件的检测方法,并且给出了一个基于网络的安全事件检测引擎的实现。对层次型P2P的查找性能仿真评估的结果表明:选择合适的层间平衡因子,可以降低成功查找的平均时延,提高服务查找的效率。这样系统自组织的速度加快,对入侵的响应时间缩短,能够达到设计的目的。

【Abstract】 Current distributed intrusion detection systems always be deployed in a settled way, and can not keep up with the increasing size of modern Internet. They also have drawbacks such as single-point failure, high response latency etc. In order to have extensibility and lower response latency, P2P technology can be used to connect security components. But using P2P network to connect all components only will make one node have too many peers to communicate and they can’t cooperate well with each other.In order to solve these problems, service-oriented concept is used in DIDS, and a service-oriented self-organizing model of DIDS based on P2P network——SODIDS is proposed.SODIDS can be deployed in a large-scale network by using a multi-domain cooperation method. First, in order to avoid invalid connections and make the cooperation more efficient,we analyze existing intrusion detection technology and use a coarse granularity and loose coupling method to divide security services. A simple service model is proposed. Security components use it to choose cooperators and self-organize a DIDS. Second, in order to make the system be organized more quickly and have lower response latency, a multi-layer P2P network is proposed. Security components use it to search service information. The multi-layer P2P network doesn’t allow all components to build the index layer; instead it calculates all nodes’index capacity and only chooses some of them. A layer-balance factor is used to control the performance of index layer. At last, in order to make it convenient for the interaction of security components, the system’s intrusion detection is based on basic security event. And an implementation of network-based security event detector is given.The simulation shows that by carefully choosing a layer-balance factor, we can get lower latency of successful lookup, and improve the efficiency of service lookup procedure. According to this, the system can be organized more quickly and have lower response latency, which can reach the designing goal.

  • 【分类号】TP393.08
  • 【被引频次】1
  • 【下载频次】60