分布式入侵检测模型研究

提出了分布级别的概念对分布式入侵检测系统进行分类，并引入信息抽象级别对入侵检测中审计数据所经历的逻辑抽象层次进行表述．在对现有的层次检测模型和协作检测模型的优点和缺陷进行详细分析之后，提出了一种用于分布式入侵检测系统的层次化协作模型(HCM)，并完成了相应的原型系统．该模型可以有效地综合两种现有模型的优点，在保证结点可控性和检测效率的同时提高系统的容错性和协作能力．

A Study of a Distributed Intrusion Detection Model

The concept of distribution level (DL) is proposed to classify distributed intrusion detection systems?, and information abstraction level (IAL) is introduced to characterize the logic abstraction hierarchy of audit data in the process of intrusion detection. After analyzing pros and cons of the existing hierarchical detection model and the cooperative detection model, a hierarchical cooperation model (HCM) is presented, which is applied to a distributed intrusion detection system. By integrating the advantages of the hierarchical model and the cooperative one, this model improves the ability of error-tolerance and cooperation without degradation of controllability and efficiency. Prototype of a distributed intrusion detection system based on the hierarchical cooperation model and the extended intrusion detection message exchange format(EIDMEF) is completed, which proves to be powerful as expected in detecting intrusions.