分布式入侵检测监视代理及数据融合算法

对分布式拒绝服务攻击的防护,传统的方法是采用路由访问控制列表过滤的防护方法,无法识别虚假地址和针对应用层的攻击,而且容易造成服务器无法向外部提供正常的服务。为此,在探讨分布式拒绝服务攻击原理和特征的基础上,设计了分布式入侵检测系统的监视代理模块,提出和实现了用于多监视代理之间协同检测的数据融合算法。实验证明,该算法可在0.07~1 s之内检测出Syn洪水,Smurf,Land等多种分布式拒绝服务的攻击,并可及时地采取响应措施,阻断攻击者的网络连接。由于该算法建立在对多数据源的数据分析基础上,因此,大大提高了入侵检测的准确性,克服了路由访问控制列表过滤的局限性,基本实现了在不影响网络正常运行情况下的实时检测与报警功能。

The Design and Realization of Monitor Agent and Data Fusion Arithmetic in Distributed Intrusion Detection

The traditional detect method of adopting acl for DOS can not identify the attack aiming at the fake address and application layer,and easily made the server cannot apply the normal service for user.The monitor agent module of DIDS(Distributed Intrusion Detection System) is designed based on the discusses of the principle and character of DDOS.The data fusion arithmetic used among the monitor agents are provided and realized,then we proved that the arithmetic can detect many distributed denial attacks such as Syn Flood,Smurf, Land etc in 0.07~1 seconds and take instant countermeasures to block intrusive connections.Furthermore,basing on the analysis of multi-data of many machines,the arithmetic advances the exactness of intrusion detection largely,overcomes the localization of the traditional detect method of Router access control list,realizing the detect and alert in the condition of not influencing the normal run of the network.