完善入侵检测系统审计信息的方法

实时主动型入侵检测系统需要完善的审计信息的支持，该文首先介绍了目前入侵检测系统使用的审计信息及采用时序逻辑性和空间性来评价审计信息完善性的简单方法；然后从目的节点出发，提出网络可抽象为一个有源的场，场源是目的节点，在某一节点上发送到目的节点的数据包频度（一定时间内的数据包总量）抽象为在此节点上场的散度。据此提出了防守联盟协议，用于完善空间性审计信息以提高入侵检测系统的性能，文章介绍了协议内容、数据格式和协议的基本服务原语；防守联盟协议包括目的节点安全系数的概念、目的节点和相邻节点间的防守联盟协议以及目的节点和网管中心间的防守联盟协议，目的节点安全系数定义为目的节点的所有相邻节点上的散度之和和占目的节点缓存器容器的百分比，目的节点和相邻节点间的防守联盟协议阐述了存在于相邻节点的审计信息如何获取并发送至目的节点，目的节点和网管中心间的防守联盟协议阐述了利用网管中心如何认证连接的真实性以完善空间性审计信息，并分析了二者的关系；文章简单分析了防守联盟协议的自身安全性。

The Method of Perfecting the Audit Information in Intrusion Detection System

A real time and active intrusion detection system (IDS) needs the support of the perfect audit information. The purpose in this article is study on the perfection of audit information in IDS. First, the audit information in current IDS is introduced. The simple method of evaluating the perfection of the audit information using time series logic and space is also introduced, and it's found that the spacious audit information in neighbors of the receiver and the sender is not used in current IDS. Second, from the receiver as source, the computer network is converted to a field, the receiver is the field source, and the packet frequency (packet number in a fixed time) sent to the receiver in a router is converted to the divergences of the field. On these grounds, the Defending Alliance Protocol (DAP) is proposed, which is used to perfect the spacious audit information to enhance the performance of IDS. The reason for establishing the protocol, the protocol content, the data form and the basic service primitives are demonstrated. The DAP is composed of the conception of security coefficient in receiver, the protocol between neighbors and receiver (NBDAP), and the protocol between network management centers (NMC) and receiver (MCDAP). The security coefficient in receiver is that the percentage of the sum of divergences in the neighbors of receiver divided by the buffer capacity in the receiver. It's explained that how to obtain and send the spacious audit information in neighbors to the receiver in the NBDAP. It's also explained that how to authenticate true of the connection between sender and receiver using NMC in the MCDAP. The relationship between NBDAP and MCDAP is analyzed. The basic service primitives demonstrate the services of DAP, and stipulate transmitting information through service access points. The self security in DAP is that the attacker obtains the management power of the neighbors of receiver and NMC using the buffer overflow attacks. The rules of defending the attacks are introduced simply. At last, the work in the future is prospected.