分布式入侵检测体系结构研究

入侵检测是网络系统在受到危害前拦截和响应入侵行为的技术，其核心是对网络通讯、主机状态的实时分析。入侵检测系统分集中式和分布式。集中式由n个嗅探器收集、过滤、处理数据，通过网路传输到检测器。分布式将n个嗅探器分布在网络环境中直接接受数据，各检测器间的协作等涉及：包括事件产生器／分析器、响应单元、事件数据库的通用入侵检测框架协议，多代理协同检测与移动代理技术，基于代理的树形分层结构等。目前，基于代理的分布式入侵检测系统有美国普度大学的基于自治代理的分布式入侵检测系统AAFID和日本IPA的多主机检测式系统等。

Study of Distributed Intrusion Detection Architecture

Intrusion detection (ID) is technology that is detecting intrusions and making response before network system will get harm. The key of intrusion detection system (IDS) is network communication, and real time analyzing the state of host computer. IDS includes two types of intrusion detection of central IDS and distributed IDS. Central IDS consists of some sniffers and a central detection unit. Some sniffers collect, filtrate and process data simply, the result can be sent to detector and is analyzed further by network. In distributed IDS, some sniffers is distributed in network to receive directly data, and detector communicate with each other. Distributed IDS consists of multiple intrusion detection systems (IDS), event generator/ analyzer, response unit, frame protocol of intrusion detection for event database, multi-agent cooperated detection, mobile agent technology and agent-based tree architecture. At present, mobile agent-based distributed IDS has AAFID system and IPA system.