Distributed IDS mainly refers to a variety of IDS interoperability. Topology in a network among, HostBase and networkBased IDS because the different positions, can not replace each other, and because of the attacks are stage, both between the various stages of behavior are linked. so can be based on the synergy between these heterogeneous IDS to detect the role of attack. You can imagine IDS was refined and divided, forming many small data source, each with independent thinking and can command each other IDS, to influence their behavior. simple implementation, that is, no interaction between IDSsensor, but there is a centralized control system, all the correlation in the Central, the Central can change each sensor's behaviour.
EMERALD papers in 97 years, he is only a correlation for the central analyzer, and other rules and profile was the IDS sensor moved from the central to. You can go see sri.com, where the home is EMERALD. Have them written 23 papers.
On Correlation, IBM's TEC There is a correlator, to support heterogeneous IDS.
Unfortunately, there can not block, or else give you a look at the interface.
IBM recently released a correlation algorithm (IBM is fierce, security algorithms are great, patternmatch the TERESIAS algorithm is also very good), you can see:
Aggregation and Correlation of Intrusion-Detection Alerts By Herv 'e Debar 1, and Andreas espi 2,
As Agent, center interaction between the standards, FIPA, KAoS, KQML, CIDF.
Academic course like to make automation of the IDS agent, but now the industry is engaged in intensive correlation, correlation need to look at the boeing company you can huang article, he was 97 years advocated attack strategy detection. His weighted strategy tree
Is very intuitive.
There are many examples of collaborative detection, said huang about 4 years a classic example: the detection of the spoof.
ExternalHostA first InternalA denial of service, and then pretend to trust InternalA InternalA server InternalB initiate connections. This time became normal rlogin attack. Single network IDS can not detect.
The basic idea is: When a situation occurs, the original normal network behavior becomes an attack. This requires correlation.
Another example is the detection of DDOS source address, a single network / host IDS is powerless. Such HostA by DDOS, his Anomally Detection function can check out the machine by a DOS attack. Then, the network IDS found one from 1.1. 1.1 ICMP echorequest message, the message is normal in peacetime, but this time sent me, it is likely that an attacker checks whether the survival of the attacked host. by correlation, you can find the real source address DDOS 1.1 .1.1 the.
杩樻湁瀵箂tealthscan鐨勬娴?濡傛灉鏈変汉瀵逛綘鍑犱釜瀛愮綉缂撴參鐨勪綔1433鍙ｇ殑鎵弿,缃戠粶IDS 涓?畾鏃犳硶鎶ヨ,涓绘満IDS鐨刲og閲岄潰鍙兘浼氳杞戒竴浜涜繛鎺?浣嗘槸濡傛灉鏈夐泦涓殑correlation, 灏卞彲浠ユ娴嬪嚭鏉?鍦╡vent stream閲岄潰杩欎簺閮藉彲浠ョ敤瑙勫垯鏉ユ鏌?涓嶇敤鎷呭績鏁堢巼.
鍙﹀涓?釜浼樺娍,灏辨槸,浜嬪疄涓?涓绘満IDS閫氬父閮芥槸anomaly detection鐨?杩欏氨澶уぇ鐨勫Τ琛ヤ簡 鍩轰簬pattern鐨勭綉缁淚DS鐨勪笉瓒?涓よ?閰嶅悎鐨勬娴?灏辨槸鍙俊搴﹀緢楂樼殑.
Advantages of outsourcing and India remain
System Maintenance Expert
Chen Zhou Reflect Years Of Business Success: The Greatest Scar Has Not Come Yet
Audio Recorders Reviews
OGM TO MP4
On The Issue Of AutoCAD Customization In The Linear
Samsung u900 vs nokia 6500 slide
Taiwan 3G competition for business opportunities in the Mainland 300 000 000 000
j2me in the Vector
TS To MPG
Reviews Reference Tools
"Fallout 3" The third sense after playing DLC broken steel
How to identify real and can automatically create index index
Interview With B & Q (China) Vice President, Human Resources Director Miss Hu Weiyan
AVI To MPEG4
Report Compilers And Interpreters