A Distributed Network Intrusion Detection System with Active Surveillance Agent

A distributed network intrusion detection system (IDS) called SA-NIDS is proposed based on the network-based intrusion detection architecture. It includes three basic components, Local Intrusion Detection Monitor (LIDM), Global Intrusion Detection Controller (GIDC), and Surveillance Agent (SA). Basically, the LIDM is used to do packets capturing, packets de-multiplexing, local intrusion detection and intrusion inferring. The GIDC is installed in administration center for communicating and managing LIDMs, it can also do the intrusion detection and intrusion inferring. The SA contains several optional functions for information gathering. After an attack behavior is discovered, the SA may be used to launch some kinds of information gathering to the attacker, so that the proposed SA-NIDS has the active surveillance ability. For the intrusion inferring, the pattern matching and the statistical approach are applied in SA-NIDS. The experimental results can satisfy the needs of network information safety.