A Study of a Distributed Intrusion Detection Model

The concept of distribution level (DL) is proposed to classify distributed intrusion detection systems?, and information abstraction level (IAL) is introduced to characterize the logic abstraction hierarchy of audit data in the process of intrusion detection. After analyzing pros and cons of the existing hierarchical detection model and the cooperative detection model, a hierarchical cooperation model (HCM) is presented, which is applied to a distributed intrusion detection system. By integrating the advantages of the hierarchical model and the cooperative one, this model improves the ability of error-tolerance and cooperation without degradation of controllability and efficiency. Prototype of a distributed intrusion detection system based on the hierarchical cooperation model and the extended intrusion detection message exchange format(EIDMEF) is completed, which proves to be powerful as expected in detecting intrusions.