The Research and Implementation of Network Intrusion Detection System Based on Cooperative Distributed Agent

TLDR: This paper presents a new approach that applies the cooperative distributed agent to network intrusion detection, and believes that such a technique can be applied into network security systems.

Abstract: In the last decade, network attacks are becoming more common and sophisticated. However, detecting break in attempts is a difficult task. Making the distinction between misuse and normal use is hard. The traditional technology such as firewall is not enough to solve all kind of attacks. For this reason, intrusion detection technology is focused on network security. Intrusion detection is a security technology that attempts to identify and isolate “intrusions” against computer systems. It complements other security technologies. Generally intrusion detection falls into two categories: Host based and network based. In this paper we analyze the disadvantages and advantages of host based intrusion detection and network based intrusion detection, then presents a new approach that applies the cooperative distributed agent to network intrusion detection. Our prototype application is based on multiple monitor agents that can detect local host intrusion and remote host intrusion cooperatively. These agents should be installed on every key hosts and perform three important tasks which is host based intrusion detection, cooperative intrusion alarm and intrusion event handling. The approach we present can be used to analyze past and future intrusion patterns. After the intruder is detected, several methods can used to break the intrusion, such as killing the process, locking user account and limiting user privilege. User can select the methods according to the intruding grade. Moreover we can break all intrusion along the intruding path by notifying the alert to other relative agents.To demonstrate the usability of our approach, we develop a prototype system on Linux operating system and Solaris operating system, and then test it in real network environment. The experiment result shows that it can not only detect a lot of known intrusive patterns but also cost low system resources and network bandwith. Although it is realized on unix platform now, it is easy to migrate into other platforms as it is independent of system environment. We believe that such a technique can be applied into network security systems.