网络安全分布式预警体系结构研究

文章提出了一个网络安全分布式预警体系结构，对实现该体系结构所涉及的相关技术和方法进行了研究。将整个受保护网络划分为若干安全域。每个安全域由若干探测器代理、一个预警中心和其它网络节点组成。在每个安全域中，处在不同网段的探测器代理负责收集网络数据，并通过建立适应性异常检测模型和采用异常评估方法，能够对网络中可能发生的异常行为进行实时分析。预警中心接收本安全域各探测器代理的异常分析结果，结合其它安全信息进行数据融合，生成预警信息并根据被预警行为的目的IP地址传送到目的安全域。同时，预警中心也接收其它安全域传来的预警信息(包括入侵信息)，进而在网络上实现分布式预警。通过分布式预警，能够使安全监管系统在攻击发生前预先采取一些防护措施，增强网络的安全。

Research on the Network Security Architecture for Distributed Early Warning

The architecture for distributed early warning of network security is presented in this paper. Related technologies and approaches to realize the architecture are analyzed. In this architecture,the protected network is divided into several security domains. Every domain consists of several sensors agents,an early warning center and else nodes. In every security domain,sensor agents installed on different network segments collect the network data which analyze the network data in real time by building an adaptive abnormal detection model and taking abnormal assessment approach. Early warning centers receive abnormal analysis results from sensor agents,and make data fusion with else security information to generate early warning information. Early warning information is sent to the early warning center of intended security domain. Meanwhile,early warning centers also receive the early warning message (including intrusion message) from else early warning centers. So the architecture is characterized by distributed early warning of network security. By the technology of distributed early warning,security monitor system can adopt some precautionary measures to enhanced network security before the network intrusions happen.