As the number of network intrusions emerges, intrusion defense mechanisms are required urgently for providing a highly secure network environment. The intrusion detection system (IDS) is such a system to detect possible intrusions of networks, and to minimize the response time between intrusion detection and defense reaction as much as possible. However, traditional IDSs are not designed with a cooperative detection mechanism. Therefore, some kinds of modern attacks such as denial of service (DOS), CodeRed or SQL Worm cannot be effectively counteracted in a short time. From these examples, it shows that a detection alliance is highly demanded in modern IDS design.
Such an IDS design needs to consider two major issues: how to effectively cooperate and how to dynamically and automatically configure the system. Therefore, we propose an intrusion detection system AIMS (Active Intrusion Monitoring System) based on emerging active network technology. In this paper, AIMS is elaborated in its flexible intrusion detection mechanism, dynamic cooperation protocol, and underlying active networking design. AIMS has three main design features. First, the intrusion detection methodology in AIMS can be dynamically adapted to the environment changes. The intrusions can be effectively localized in a part of network rather than globally spread. Second, since AIMS is of an alliance architecture, maintenance can be effectively accomplished with active administrative packets. Third, AIMS is highly scalable for wide area networks. Although there may exist legacy network components, AIMS can automatically cooperate with them to perform necessary detection functionalities. Based on active network technology, the AIMS architecture is organized into four components. The first component is the packet handler. The packet handler includes the packet dispatcher, the trap generator and the active packet generator. The second component is the processing engine. The processing engine is the core unit including the IDS engine, the active processing engine, and the authentication engine. The third component is the database for keeping intrusion information. The database consists of a summary database and a rule database. The last component is the node operating system for system management.
Two authentication design issues in AIMS are further addressed. The first is the active cooperation protocol design. Active packets are designed to update alarm rules, attack patterns and statistic thresholds dynamically. The second is the active protection mechanism for information exchanging. Currently, MD5-based authentication technologies are used to ensure the safety and security of AIMS.
The detection rules and realization programs are securely and automatically exchanged with active packets. Three classes of primitives are provided to specify alarm rules, attack patterns and statistic thresholds. Each primitive has eight operations. The alarm rules are compared with the address book stored in the summary database. The attack patterns are used to match the network packets. The statistic thresholds keep the surveillance with real-time statistic.
To conclude, AIMS is a flexible, scalable and easily maintained IDS. The IDS rules can be dynamically updated with active packets from cooperative AIMS nodes. Currently, AIMS is in the simulation stage. In the future plan, a prototype will be built for further development and research.