一个基于免疫的分布式入侵检测系统模型

传统的入侵检测系统大多采用集中式的分析引擎,误报率较高且缺乏自适应性,已难以满足日益发展的大规模分布式网络环境的安全需求。生物免疫系统处理外来异体时呈现出的分布性、多样性、自适应性和高效性等多种特性,为入侵检测系统的研究提供了一个新的思路。引用生物免疫机制,并结合数据挖掘技术提出了一种基于免疫的分布式入侵检测系统模型。文中详细描述了模型的体系结构和工作机制,并对模型特性进行了分析。     

安全的分布式入侵检测系统框架

针对分布式入侵检测系统在安全上的需求,从系统基础架构、身份认证和安全通信等方面进行研究分析,提出了一个利用移动代理技术实现检测引擎,并使用公钥基础设施(PKI)认证技术和椭圆曲线密码(ECC)技术保障系统整体安全性的分布式入侵检测系统框架--SADIDS,能有效地保障入侵检测系统的安全,同时具有实现简单灵活、移动性强的特点.     

基于移动agent的分布式入侵检测系统研究*

为了提高现有分布式入侵检测系统的效率和性能,提出了一种基于移动agent的分布式入侵检测系统模型。将移动agent技术应用于入侵检测中,并给出了其移动agent间的可靠通信方法,实现了agent的协同检测。实验结果表明,由于移动agent的应用,入侵检测系统的节点成为了可移动的部件,从而使该模型具有了更强的抗攻击性和入侵检测能力。     

Mutual tests using immunity-based diagnostic mobile agents in distributed intrusion detection systems

Distributed intrusion detection systems have several advantages over centralized systems, such as scalability, adaptability, and fault tolerance. A current research topic in distributed systems is self-monitoring to identify corrupted intrusion detection systems. One way of self-monitoring is for intrusion detection systems to check each other. As we describe herein, this can be done by mobile agents using an immunity-based diagnostic method modeled on idiotypic network theory. In simulations, the credibility of normal intrusion detection systems remained near 1, while it fell to about 0 for corrupted intrusion detection systems, thus enabling identification of the latter. We also confirmed what effects some parameters have on the diagnostic capability.This work was presented, in part, at the 8th International Symposium on Artificial Life and Robotics, Oita, Japan, January 24–26, 2003     

Optimal monitoring system for a distributed intrusion detection system

Distributed intrusion detection systems, which consist of spatially distributed monitoring elements, may be applied to detect intrusions in a real-time manner based on the analysis of collected data. This article will present and discuss some selected aspects of the architecture and efficiency of detection systems. The first part considers intrusion detection capabilities as being dependent on different distributed computer communication system parameters. The aim of the second part is to present an idea of the hierarchical architecture of distributed intrusion detection systems, and to assess the quality of monitoring performed in the lower layer of the hierarchical architecture of a distributed intrusion detection system.     

Load sharing in distributed multimedia-on-demand systems

Service providers have begun to offer multimedia-on-demand services to residential estates by installing isolated, small-scale multimedia servers at individual estates. Such an arrangement allows the service providers to operate without relying on a highspeed, large-capacity metropolitan area network, which is still not available in many countries. Unfortunately, installing isolated servers can incur very high server costs, as each server requires spare bandwidth to cope with fluctuations in user demand. The authors explore the feasibility of linking up several small multimedia servers to a (limited-capacity) network, and allowing servers with idle retrieval bandwidth to help out servers that are temporarily overloaded; the goal is to minimize the waiting time for service to begin. We identify four characteristics of load sharing in a distributed multimedia system that differentiate it from load balancing in a conventional distributed system. We then introduce a GWQ load sharing algorithm that fits and exploits these characteristics; it puts all servers' pending requests in a global queue, from which a server with idle capacity obtains additional jobs. The performance of the algorithm is captured by an analytical model, which we validate through simulations. Both the analytical and simulation models show that the algorithm vastly reduces wait times at the servers. The analytical model also provides guidelines for capacity planning. Finally, we propose an enhanced GWQ+L algorithm that allows a server to reclaim active local requests that are being serviced remotely. Simulation experiments indicate that the scheduling decisions of GWQ+L are optimal, i.e., it enables the distributed servers to approximate the performance of a large centralized server     

IDS的数据收集机制

本文首先阐述了数据收集在入侵检测中的重要性，然后对目前的数据收集机制进行了分类，并对每一类中的不同方法的利弊进行了比较和讨论。     

An ensemble-based evolutionary framework for coping with distributed intrusion detection

A distributed data mining algorithm to improve the detection accuracy when classifying malicious or unauthorized network activity is presented. The algorithm is based on genetic programming (GP) extended with the ensemble paradigm. GP ensemble is particularly suitable for distributed intrusion detection because it allows to build a network profile by combining different classifiers that together provide complementary information. The main novelty of the algorithm is that data is distributed across multiple autonomous sites and the learner component acquires useful knowledge from this data in a cooperative way. The network profile is then used to predict abnormal behavior. Experiments on the KDD Cup 1999 Data show the capability of genetic programming in successfully dealing with the problem of intrusion detection on distributed data.     

Load sharing in distributed systems with failures

Summary An approximate model is presented for the mean response time in a distributed computer system in which components may fail. Each node in the system periodically performs a checkpoint, and also periodically tests the other nodes to determine whether they are failed or not. When a node fails, it distributes its workload to other nodes which appear to be operational, based on the results of its most recent test. An approximate response time model is developed, explicitly allowing for the delays caused by transactions being incorrectly transferred to failed nodes, because of out-of-date testing results. For the case when all nodes are identical, a closed form solution is derived for the optimal testing rate minimizing the average response time. Numerical results are presented illustrating the relationships among the problem parameters.This research was performed while Satish Tripathi and David Finkel were visiting ISEM. Satish Tripathi's research was supported in part by grants from NSF (grant no. DCR-84-05235) and NASA (grant no. NAG 5-235), and by Université de Paris-Sud     

Adaptive load sharing in heterogeneous distributed systems

In this paper, we study the performance characteristics of simple load sharing algorithms for heterogeneous distributed systems. We assume that nonnegligible delays are encountered in transferring jobs from one node to another. We analyze the effects of these delays on the performance of two threshold-based algorithms called Forward and Reverse. We formulate queuing theoretic models for each of the algorithms operating in heterogeneous systems under the assumption that the job arrival process at each node in Poisson and the service times and job transfer times are exponentially distributed. The models are solved using the Matrix-Geometric solution technique. These models are used to study the effects of different parameters and algorithm variations on the mean job response time: e.g., the effects of varying the thresholds, the impact of changing the probe limit, the impact of biasing the probing, and the optimal response times over a large range of loads and delays. Wherever relevant, the results of the models are compared with the M/M/ 1 model, representing no load balancing (hereafter referred to as NLB), and the M/M/K model, which is an achievable lower bound (hereafter referred to as LB).     

基于Chi-square检验的分布式网络入侵检测系统

针对网络攻击的新特点,本文提出了一种基于Chi-square检验的分布式网络入侵检测系统模型CTDIDS。设计并实现了一个基于异常检测的入侵分析引擎。通过对网络数据包的分析,运用Chi-square值比较对系统的行为进行检测。与现有的入侵检测方法相比,本文提出的方法具有更好的环境适应性和数据协同分析能力。实验证明,分布式入侵检测系统CTDIDS具有更高的准确性和扩展性。     

Agent技术在分布式入侵检测系统的应用研究*

剖析了现有的分布式入侵检测系统及其在网络中的优势,将代理(agent)技术应用到分布式入侵检测系统中,并在此基础上提出了一种基于agent的分布式入侵检测系统(agent-based distributed intrusion detectionsystem,ADIDS)的新模型。ADIDS采取无控制中心的多agent结构,充分利用agent本身的独立性与自主性,尽量降低各检测部件间的相关性,避免了单个中心分析器带来的单点失效问题。各个数据采集部件、检测部件都是独立的单元,不仅实现了数据收集的分布化,而且将入侵检测和实时响应分布化,提高了系统的健壮性,真正实现了分布式检测的思想。     

分布式入侵检测系统的研究与实现

随着计算机网络的迅猛发展,网络安全问题也日益严重,单一的集中式的入侵检测系统已不能满足网络安全发展的需要,分布式入侵检测系统应运而生.实现了一个分布式的入侵检测系统,将反弹木马的反向连接技术应用到客户端与服务器端的通信上,在客户端采用多线程技术捕包,通过系统进程与端口通信相结合检测特洛伊木马.通过管理端对局域网络各个位置的Agent客户端进行统一部署策略和实时监控,加强了校园网络的安全.     

基于移动代理的分布式入侵检测系统的研究

分析了现行的移动代理入侵检测系统的缺点,在此基础上,针对性地提出了一种基于移动Agent的分布式入侵检测系统模型MADIDS(mobile agent-based distributed intrusion detection system).该模型为每一个移动代理添加了独立的ID,并加入身份验证、完整性鉴定和加密机制.通过多Agent技术来实现检测自治化和多主机间检测信息的协调,提高了入侵检测系统自身的安全性,有效地检测了分布式的攻击行为.实验测试结果表明了其良好的性能.     

基于Agent的分布式入侵检测系统的研究与实现

本文通过借鉴智能代理(agent)技术,并结合XML和安全通信技术,提出了一种具有两层代理结构的分布式入侵检测系统模型,并设计实现了原型系统。该模型有多个域组成,域内采用分层结构,域间采用P2P(peertopeer)结构。域内的检测agent分布在受保护各个主机上执行检测任务,检测结果向本域内的数据中心汇报。协作agent综合本域内数据中心的报警信息进行分析,产生本地报警,并通过XML向其他域中协作agent告警。作为冗余成分的协作agent的存在避免了系统结构上的单点失效。数字签名和加密技术确保了agent通信的安全。分布性、健壮性、智能性和协作性是该系统模型主要特点。     

分布式入侵监测中负载平衡实现策略研究

传统的分布式入侵检测系统存在着大量丢包等问题.通过对现有的入侵监测系统问题的分析,寻找出传统系统存在问题的原因并进行针对性地改进.通过对不同数据包特性的研究,通过实验的方式确定出影响入侵检测系统处理效率的主要因素,找出了一种标示负载量的方式,将负载平衡的思想引入其中并与分布式思想相结合提出了一种提高入侵监测系统性能的系统结构设计方案.