A kind of synergetics learning invasion detection method that is applied to data grids
Technical field
The present invention is a kind of intrusion detection method based on the collaborative study of BP neural net that is applied to data grids.Be mainly used in the attack that detects automatic network, belong to the crossing domain of data grids technology and Intrusion Detection Technique at back end in the grid.
Background technology
Along with express network technology and computing grid technology rapid development in recent years, people are more and more stronger to the demand of large-scale data sharing, more current memory technologies, as network attached storage NAS, storage area network SAN, group of planes storage, object storage etc., because its closure, independence and relative higher cost, storage and extended capability deficiency, cause it to be difficult under wide area network, share huge day by day data volume, on the other hand, still existing a large amount of idle memory spaces on wide area network fails to be utilized effectively.Data grids just one be the desirable virtual storage system of main resource with data, can be various grid application good support be provided.On the one hand, utilize the efficient disposal ability of grid environment can realize effectively integrating of large-scale data, and effectively utilize existing numerous data resource; Simultaneously, also can utilize the data managing capacity of data grids system high efficiency, for the integrated optimization of the management of fulfillment database resources effective, distributed data in the grid and the analyzing and processing of big data etc. provide strong support.
Calculate in the Wide Area Network deploy, safety assurance is vital.Grid security mechanism will provide basic safeguard protection authentication mechanism; with checking legal users and resource; and provide interface for other security services; allow the user to select different security strategies, level of security and encryption method; the safety devices of underlying basis are provided, and this is the requirement and the characteristics of grid computing.Intruding detection system also is further extended in the grid environment as the defence line, second road of network security after fire compartment wall, as the defence line, another road on the grid bottom GSI, be deployed in the intrusion detection prototype system first meeting blank of computing grid, these systems be mostly with the behavior profile that the form of upper strata security service detects grid user find and the attack that stops malicious user to guarantee the safety of grid.Yet situation is different in data grids, in order to improve data service quality, used the lot of data copy in the data grids, on the node of these copy distributed store isomery in wide scope, undoubtedly, data redudancy is big more, and is just many more to the point of attack that the assailant provides, the assailant at first can initiate at some key node from network the attack of data grid, and then destroys whole data grids.If can not guarantee the safety of the node computer of each storage significant data, also just can not guarantee the safety of data grids integral body.The existing Intrusion Detection Technique overwhelming majority is at the operating system of unit and network, and the intruding detection system that is applied to computing grid is deployed in the user of grid upper strata at whole grid, shortage is not suitable for the special circumstances of data grids to the consideration of individual node network security.The research and development of relevant data grid at present also is in the starting stage, to the research of grid data safety just still less, and the seldom several data grids intrusion detection models that proposed now all are the Intrusion Detection Technique of indiscriminately imitating in the computing grid, and consider the attack that comes automatic network that the node of storage data faces.
The distributed Intrusion Detection Systems technology has had very great development in recent years, yet such system or need a unified control centre and come the security incident transmitted on each crucial test point of analyzing and processing perhaps adopts the agent technology to come incident on the node that independence or associated treatment distribute.Because number of nodes is huge in the grid, use focuses on engine can cause the processing center overload of power, and can't avoid the single point failure problem, use the agent technology not give full play to the mutual supplement with each other's advantages of each agent under the grid heterogeneous environment and the trust problem between the very difficult agent of solution.As seen already present various distributed Intrusion Detection Systems technology is not suitable for the particular surroundings of data grids.
At intrusion detection field integrated study also is hot research in recent years, it is the weak learner of a lot of stand-alone trainings such as BP neural net to be integrated obtain a strong learner improving verification and measurement ratio, but this method mainly still is used for the intrusion detection of unit.Therefore the intrusion detection method of studying a kind of suitable data grid environment is significant.
Summary of the invention
Technical problem: the purpose of this invention is to provide a kind of intrusion detection method that is applied to data grids, detect the attack at back end in the grid of automatic network.
Technical scheme: the present invention is a kind of intrusion detection method of collaborative study, based on the BP neural net, learn from each other, have complementary advantages and improve the fail safe of each back end by the neural net on each heterogeneous nodes in the data grids, resist the attack of automatic network effectively.
One, architecture
According to the complex network scientific theory, network in the real world (the Internet, grid) has no characteristics of scale, data grids are as the dynamic network of a wide area self-organizing, its topological structure also should meet no scale network model: minority Centroid degree is very big, is connecting many ordinary nodes on it.Therefore the canonical topology structure of data grids wherein generally is used on the Centroid storing important data trnascription (root copy) as shown in Figure 1, and its fail safe is most important.In order to reduce security overhead, lay special stress on protecting the safety of critical data node, the intrusion detection module on design centre node and the ordinary node is as follows respectively:
Fig. 2 has provided the architecture of Centroid intrusion detection module, and its functional part mainly comprises local data collector, novel invasion sample receiver, collaborative request service broker, data preliminary treatment and form transducer, local integrated invasion analysis engine (detector), invasion sample characteristics storehouse, cooperative intrusion analysis engine, novel invasion sample transmitter, response alarm device.
Below we provide the explanation of several concrete parts:
The local data collector: collection network packet on the local network segment, to detect attack from local network.
Novel invasion sample receiver: what receive that other nodes send over detects the data sample of judging to attacking.
Collaborative request service broker: receive the suspection sample that can't judge that certain ordinary node sends over, mode with broadcasting is transmitted to all direct-connected ordinary nodes of this Centroid with collaborative analysis again, the final judged result of cooperative intrusion analysis engine is returned to the node of the collaborative request of initiation.
Data preliminary treatment and form transducer: because the isomerism of data grids, the form of the handled network packet of detector of each node computer and the field difference of detection, transducer becomes the form of the detector processes on the unified suitable local node with the data transaction that receives, and carries out suitable preliminary treatment to improve detection efficiency.
Local integrated invasion analysis engine: be the main intrusion detection parts of Centroid, in order to ensure the safety of Centroid, detector adopts the integrated detection mode of BP neural net of a plurality of stand-alone trainings, forms strong local detectability.
Invasion sample characteristics storehouse: the novel invasion sample characteristics that the storage ordinary node is submitted to, with this locality integrated invasion analysis engine cooperating, the data to be tested of receiving for analysis engine, at first with feature database in the comparison of existing invasion sample characteristics, if no abnormal, the integrated BP neural net by analysis engine detects again.
Cooperative intrusion analysis engine: receive data, for ordinary node provides the collaborative service that detects from collaborative request service broker.
Novel invasion sample transmitter: the invasion sample of the newtype that will find on local node sends to other nodes and does to detect reference for it.
The response alarm device: find automatic network at the attack of this node the time, send break alarm and impel system to take measures to stop intrusion behavior.
Fig. 3 has provided the architecture of ordinary node intrusion detection module, because its importance is not as Centroid, demand for security is lower than Centroid, therefore its invasion analysis engine has only used two BP neural net cooperative detection, and because the degree of ordinary node is very little, calculated performance is not as Centroid, so provide the collaborative obligation of serving that detects except the requirement of the Centroid that carries out local detection and be attached thereto for response at one's leisure participates in not bearing certain collaborative detection computations for other nodes.Its functional part mainly comprises local data collector, data preliminary treatment and form transducer, local invasion analysis engine (detector), local invasion sample characteristics storehouse, novel invasion sample transmitter, communication for coordination server, response alarm device.Wherein the effect of local data collector, data preliminary treatment and form transducer, novel invasion sample transmitter, response alarm device and Centroid is identical, repeat no more, slightly different is detector and feature database, in addition because it often will send the collaborative request that detects to other nodes by Centroid, so needing increases the communication for coordination server, now is respectively described below:
Local invasion analysis engine: the detection engine of ordinary node adopts two independently modes of BP neural net cooperative detection, and one of them BP network is a primary detector, and another is an assisted detector.During actual detected,, then regard normal data as if two networks all are judged as normally; If two networks all are judged as unusually, then regard the invasion data as; If one is judged as normal and another is judged as unusually, then as the suspection data that temporarily can't adjudicate, to suspect that by the communication for coordination server sample sends to the Centroid that it connects, uniting other a plurality of ordinary nodes by Centroid again provides collaborative the detection to serve to make final judgement.
The local sample characteristics storehouse of invading: suspect sample if the final result that draws through collaborative detection is a kind of invasion really, then extract its characteristic storage in invasion sample characteristics storehouse, this locality, check feature database in the detection afterwards earlier, if and certain bar record coupling wherein, then directly be judged as invasion, need not work in coordination with detection once more, to reduce security overhead.
The communication for coordination server: the suspection sample that this node can't be judged sends to remote center's node, propose the cooperation with service request or respond the requirement of certain Centroid, receive the suspection data that it is sent, the result of calculation of analysis engine is returned in invasion analysis engine analysis on this machine of submitting to again to Centroid.
Two, method flow
A kind of synergetics learning invasion detection method that is applied to data grids resists the attack of automatic network effectively by the fail safe that the collaborative study of the BP neural net on each heterogeneous nodes in the data grids, mutual supplement with each other's advantages improve each back end, and is specific as follows:
The local intrusion detection flow process of ordinary node:
Step 1: the real-time collection network packet of local data collector,
Step 2: data preliminary treatment and form transducer extract each attributive character of the packet that collects, and carry out preliminary treatment and change into the form that is fit to this node machine,
Step 3: the data after the conversion are sent local invasion analysis engine, detects respectively by two BP detectors,
Step 4: if two detectors all are judged to normal data normal, then be judged to normal data, finish epicycle and detect, change step 1 and continue the collection network packet; Attack attack if two detectors all are judged as, then start the response alarm device, the local network invasion is found in warning, changes step 5; If the judged result of two detectors is inconsistent, change step 6,
Step 5: novel invasion sample transmitter will be attacked the novel invasion sample receiver that data sample sends to the direct-connected Centroid of this node, inform that Centroid found a kind of invasion here, finish epicycle and detect, and change step 1 and continue the collection network packet,
Step 6: local invasion analysis engine connects local invasion sample characteristics storehouse, whether attack signature sample with this Data Matching is arranged in the query characteristics storehouse,, then start the response alarm device if having, the local network invasion is found in warning, changes step 1 and continues the collection network packet; If do not have, then think suspicious data, send the communication for coordination server, change step 7,
Step 7: the communication for coordination server will suspect that sample mails to the collaborative request service broker with the direct-connected Centroid of this node, propose the cooperation with service request,
Step 8: the communication for coordination server receives the result that collaborative request service broker returns, and submits to detector,
Step 9: detector receives and checks return results, if normal data is then changeed step 1 and continued the collection network packet; If the attack data then start the response alarm device, the local network invasion is found in warning, simultaneously the characteristic storage of this attack sample is invaded in the sample characteristics storehouse to this locality, changes step 1 and continues the collection network packet;
Ordinary node participates in collaborative evaluation work flow process:
Step 21: the communication for coordination server receives suspection data and the collaborative calculation requirement from other nodes that the collaborative request service broker of Centroid sends, and whether the state of the local invasion of inquiry analysis engine is idle,
Step 22: if local invasion analysis engine state is busy, have no time to participate in collaborative calculating, the then not requirement of responsing center's node, packet discard finishes this flow process; Otherwise change step 23,
Step 23: the communication for coordination server will receive from the suspection data of Centroid and submit to the invasion analysis engine,
Step 24: the primary detector by analysis engine detects this suspection data, and the result returns to the communication for coordination server,
Step 25: the communication for coordination server sends to the result of calculation of this node the collaborative request service broker of Centroid;
The local intrusion detection workflow of Centroid:
Step 31: the real-time collection network packet of local data collector,
Step 32: data preliminary treatment and form transducer extract each attributive character of the packet that collects, and carry out preliminary treatment and change into the form that is fit to this node machine,
Step 33: the data after the conversion are sent local integrated invasion analysis engine, detects by integrated detector,
Step 34:, then change step 35 if testing result is normal normal; If unusual, then start the response alarm device, the local network invasion is found in warning, changes step 36,
Step 35: the invasion analysis engine connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, then starts the response alarm device, and the local network invasion is found in warning, changes step 36; If do not have, then think normal data, finish epicycle and detect, change step 31 and continue the collection network packet,
Step 36: novel invasion sample transmitter will be attacked data sample and send to novel invasion sample receiver with direct-connected other Centroids of this Centroid, inform and found a kind of invasion here, finish epicycle and detect, change step 31 and continue the collection network packet;
Centroid is collected novel invasion sample characteristics flow process:
Step 41: novel invasion sample receiver receives the detected attack data of submitting to from collaborative request service broker on other nodes or this machine, and data are submitted to integrated detector,
Step 42: integrated detector detects data, if testing result is also for attacking attack, then process ends; Otherwise, enter next step,
Step 43: integrated detector connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, and process ends then; If do not have, then think a kind of newfound invasion, enter next step,
Step 44: this characteristic storage of attacking sample in invasion sample characteristics storehouse;
Centroid provides the collaborative service procedure that detects:
Step 51: collaborative request service broker receives suspection sample and the cooperation with service request that certain ordinary node is sent,
Step 52: the service broker sends these suspection data and collaborative calculation requirement in the mode of broadcasting to all ordinary nodes that this node was connected,
Step 53: the service broker receives the result of calculation that all nodes that respond return, and submits to the cooperative intrusion analysis engine,
Step 54: cooperative intrusion analysis engine statistics service broker submits to the collaborative testing result of its each responsive node, to this suspect data if the quantity of node that is judged as attack more than or equal to the quantity num that is judged as normal node (attack)=num (normal), then be judged as attack, otherwise be judged as normal.
Step 55: the cooperative intrusion analysis engine returns judged result to the service broker,
Step 56: the service broker checks the result who receives, if normal, then it is directly returned the node that sends the cooperation with service request; If unusual, except the result being returned the node that sends the cooperation with service request, also will confirm as the data sample of attack and issue local novel invasion sample receiver, a kind of new invasion has been found in report.
The functional part of Centroid intrusion detection module mainly comprises local data collector, novel invasion sample receiver, collaborative request service broker, data preliminary treatment and form transducer, local integrated invasion analysis engine, invasion sample characteristics storehouse, cooperative intrusion analysis engine, novel invasion sample transmitter, response alarm device; The functional part of ordinary node intrusion detection module mainly comprises local data collector, data preliminary treatment and form transducer, local invasion analysis engine, local invasion sample characteristics storehouse, novel invasion sample transmitter, communication for coordination server, response alarm device.
Beneficial effect: use this scheme that following advantage is arranged:
1. fail safe, the survivability of data grids Centroids have greatly been guaranteed.Because verified weak the integrated of learner of experimental study can form powerful detectability, can effectively guarantee the safety of data center at the integrated study device of Centroid deploy, Centroid is collected the novel invasion feature of finding from other nodes (comprising Centroid and ordinary node) in real time simultaneously, at any time learn " experience " of other nodes, make the knowledge of its feature database more and more abundanter, comprehensively, this design combines abnormality detection and feature detection, powerful anomaly detector cooperates the feature detection of comprehensive and abundant, have complementary advantages, make data grids have the ability that very strong anti-specific aim is hit.
2. improved the network security of ordinary node effectively.Though ordinary node is because the limitation of self performance, can not dispose powerful detector, but the present invention has utilized the isomerism of data grids nodes and advantage separately dexterously, because ordinary node wide area physically distributes, be positioned at the diversified Virtual Organization and the network segment, the level of security difference, the network packet difference of Cai Jiing is very big separately, the attack type that runs into has a great difference, the detector of possible certain node to a kind of often be easy to detect at self attack and this attack to be other nodes seldom run into and be difficult for detecting.The collaborative detection service that ordinary node provides by Centroid, can with a lot of other collaborative study of ordinary node, learn from other's strong points to offset one's weaknesses, improved the detectability of self greatly.
3. reduced the security overhead of data grids.Because the intrusion detection module on each node detects local invasion independently of one another, handle by each node oneself for own confessedly data, do not need unified central processing unit, under data grid environment, realized distributed Intrusion Detection Systems truly; For through the collaborative suspection sample of confirming as attack that detects, in time extract attack signature and be stored in the local feature database, run into this type of attack later on again, just can directly search feature database, need not work in coordination with calculating once more, reduced security overhead.
Description of drawings
Fig. 1 is the data grids canonical topology structure chart of simplifying according to Complex Networks Theory.
Fig. 2 is the system assumption diagram of Centroid intrusion detection module.
Fig. 3 is the system assumption diagram of ordinary node intrusion detection module.
Fig. 4 is the local intrusion detection flow chart of ordinary node.
Fig. 5 is that ordinary node participates in collaborative calculation flow chart.
Fig. 6 is the local intrusion detection flow chart of Centroid.
Fig. 7 is that Centroid is collected novel invasion sample characteristics flow chart.
Fig. 8 is that Centroid provides the collaborative service procedure figure that detects.
Embodiment
1, ordinary node intrusion detection flow process
This locality invasion analysis engine on the ordinary node is made of two BP neural nets, and two networks are stand-alone trainings, and appointment wherein any network is a primary detector, and another then is an assisted detector.Two local network packet of gathering of detector cooperative detection, wherein primary detector is except carrying out this locality detection, and also the cooperative intrusion of primary detector detects on participation and other nodes.Network data for this locality, have only when major-minor two detectors all are judged as and just often just be defined as normal data, if two detector judged results disagree then as suspect data sample by the communication for coordination server mail to this node a direct-connected Centroid, provide the collaborative service that detects by the cooperative intrusion analysis engine on the Centroid.Any ordinary node all will be issued coupled Centroid with the invasion data as long as find intrusion behavior, reference is provided for the detection of Centroid.
The local intrusion detection groundwork of ordinary node flow process (see figure 4):
Step1: the real-time collection network packet of local data collector.
Step2: data preliminary treatment and form transducer extract each attributive character of the packet that collects, carry out preliminary treatment and change into the form that is fit to this node machine.
Step3: the data after the conversion are sent local invasion analysis engine, are detected respectively by two BP detectors.
Step4: if two detectors all are judged to normal data (normal), then be judged to normal data, finish epicycle and detect, change step1 and continue the collection network packet; If two detectors all are judged as attack (attack), then start the response alarm device, the local network invasion is found in warning, changes step5; If the judged result of two detectors is inconsistent, change step6.
Step5: novel invasion sample transmitter will be attacked the novel invasion sample receiver that data sample sends to the direct-connected Centroid of this node, inform that Centroid found a kind of invasion here, finish epicycle and detect, and change step1 and continue the collection network packet.
Step6: local invasion analysis engine connects local invasion sample characteristics storehouse, whether attack signature sample with this Data Matching is arranged in the query characteristics storehouse,, then start the response alarm device if having, the local network invasion is found in warning, changes step1 and continues the collection network packet; If do not have, then think suspicious data, send the communication for coordination server, change step7.
Step7: the communication for coordination server will suspect that sample mails to the collaborative request service broker with the direct-connected Centroid of this node, proposes the cooperation with service request.
Step8: the communication for coordination server receives the result that collaborative request service broker returns, and submits to detector.
Step9: detector receives and checks return results, if normal data is then changeed step1 and continued the collection network packet; If the attack data then start the response alarm device, the local network invasion is found in warning, simultaneously the characteristic storage of this attack sample is invaded in the sample characteristics storehouse to this locality, changes step1 and continues the collection network packet.
Ordinary node participates in collaborative evaluation work flow process (see figure 5):
Step1: the communication for coordination server receives suspection data and the collaborative calculation requirement from other nodes that the collaborative request service broker of Centroid sends, and whether the state of the local invasion of inquiry analysis engine is idle.
Step2: if local invasion analysis engine state is busy, have no time to participate in collaborative calculating, the then not requirement of responsing center's node, packet discard finishes this flow process; Otherwise change step3.
Step3: the communication for coordination server will receive from the suspection data of Centroid and submit to the invasion analysis engine.
Step4: the primary detector by analysis engine detects this suspection data, and the result returns to the communication for coordination server.
Step5: the communication for coordination server sends to the result of calculation of this node the collaborative request service broker of Centroid.
2, Centroid intrusion detection flow process
The Centroid deploy be strong detector by a lot of BP network integrations, and it is collected in real time and deposits in the feature database from the invasion data characteristics that has been detected on other nodes, feature database on it is being stored all novel attack signatures that each place of whole mesh is found, therefore Centroid does not need to detect local invasion with other nodes are collaborative, because its powerful computing ability and very big degree of communication can provide the collaborative service that detects for the ordinary node in the grid easily.
The local intrusion detection workflow of Centroid (see figure 6):
Step1: the real-time collection network packet of local data collector.
Step2: data preliminary treatment and form transducer extract each attributive character of the packet that collects, carry out preliminary treatment and change into the form that is fit to this node machine.
Step3: the data after the conversion are sent local integrated invasion analysis engine, are detected by integrated detector.
Step4:, then change step5 if testing result is normal (normal); If unusual, then start the response alarm device, the local network invasion is found in warning, changes step6.
Step5: the invasion analysis engine connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, then starts the response alarm device, and the local network invasion is found in warning, changes step6; If do not have, then think normal data, finish epicycle and detect, change step1 and continue the collection network packet.
Step6: novel invasion sample transmitter will be attacked data sample and send to novel invasion sample receiver with direct-connected other Centroids of this Centroid, inform and find a kind of invasion here, finish epicycle and detect, and change step1 and continue the collection network packet.
Centroid is collected novel invasion sample characteristics flow process (see figure 7):
Step1: novel invasion sample receiver receives the detected attack data of submitting to from collaborative request service broker on other nodes or this machine, and data are submitted to integrated detector.
Step2: integrated detector detects data, if testing result is also for attacking (attack), then process ends; Otherwise, enter next step.
Step3: integrated detector connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, and process ends then; If do not have, then think a kind of newfound invasion, enter next step.
Step4: this characteristic storage of attacking sample in invasion sample characteristics storehouse.
Centroid provides the collaborative service procedure (see figure 8) that detects:
Step1: collaborative request service broker receives suspection sample and the cooperation with service request that certain ordinary node is sent.
Step2: the service broker sends these suspection data and collaborative calculation requirement in the mode of broadcasting to all ordinary nodes that this node was connected.
Step3: the service broker receives the result of calculation that all nodes that respond return, and submits to the cooperative intrusion analysis engine.
Step4: cooperative intrusion analysis engine statistics service broker submits to the collaborative testing result of its each responsive node, to this suspect data if the quantity of node that is judged as attack more than or equal to the quantity num that is judged as normal node (attack)=num (normal), then be judged as attack, otherwise be judged as normal.
Step5: the cooperative intrusion analysis engine returns judged result to the service broker.
Step6: the service broker checks the result who receives, if normal, then it is directly returned the node that sends the cooperation with service request; If unusual, except the result being returned the node that sends the cooperation with service request, also will confirm as the data sample of attack and issue local novel invasion sample receiver, a kind of new invasion has been found in report.
For convenience of description, our topological structure of tentation data grid example as shown in Figure 1, the testing process of ordinary node and Centroid is that representative is told about with ai and A respectively, other node detection process is identical therewith, and then its embodiment is: initial: Centroid A, B, C and separately ordinary node a1, a2 ..., am; B1, b2 ..., bn; C1, c2, ck is last according to Fig. 2, the system assumption diagram of Fig. 3 is set up the intruding detection system of each node self respectively, and according to (the data subset training that each neural net of same node detection device adopts independent random in this node training dataset to extract of the BP neural net on each self-detector of data stand-alone training of the residing real network environment of each node, and get different yojan attribute sets, guaranteed to train the isomerism of each neural net that obtains), the feature database of each node of initialization, several modal invasion feature that a minute book ground node is run in the initial storehouse.
The local intrusion detection of ordinary node ai:
(1) the real-time collection network packet of the local data collector on the ai.
(2) data preliminary treatment and form transducer extract each attributive character of the packet that collects, carry out preliminary treatment and change into the form that is fit to this node machine.
(3) data after the conversion are sent local invasion analysis engine, are detected respectively by two BP detectors.
(4) if two detectors all are judged to normal data (normal), then be judged to normal data, finish epicycle and detect, change (1) and continue the collection network packet; If two detectors all are judged as attack (attack), then start the response alarm device, the local network invasion is found in warning, changes (5); If the judged result of two detectors is inconsistent, change (6).
(5) novel invasion sample transmitter will be attacked the novel invasion sample receiver that data sample sends to A, inform that A has found a kind of invasion here, finish epicycle and detect, and change (1) and continue the collection network packet.
(6) local invasion analysis engine connects local invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, then starts the response alarm device, and the local network invasion is found in warning, changes (1) and continues the collection network packet; If do not have, then think suspicious data, send the communication for coordination server, change (7).
(7) the communication for coordination server will suspect that sample mails to the collaborative request service broker of A, propose the cooperation with service request.
(8) the communication for coordination server receives the result that collaborative request service broker returns, and submits to detector.
(9) detector receives and checks return results, if normal data is then changeed (1) and continued the collection network packet; If the attack data then start the response alarm device, the local network invasion is found in warning, simultaneously the characteristic storage of this attack sample is invaded in the sample characteristics storehouse to this locality, changes (1) and continues the collection network packet.
Ai participates in collaborative evaluation work flow process:
(1) the communication for coordination server receives suspection data and the collaborative calculation requirement from other nodes that the collaborative request service broker of A sends, and whether the state of the local invasion of inquiry analysis engine is idle.
(2) if local invasion analysis engine state is busy, have no time to participate in collaborative calculating, then do not respond the requirement of A, packet discard finishes this flow process; Otherwise change (3).
(3) the communication for coordination server will receive from the suspection data of A and submit to the invasion analysis engine.
(4) primary detector by analysis engine detects this suspection data, and the result returns to the communication for coordination server.
(5) the communication for coordination server sends to the result of calculation of this node the collaborative request service broker of A.
The local intrusion detection of Centroid A:
(1) the real-time collection network packet of the local data collector on the A.
(2) data preliminary treatment and form transducer extract each attributive character of the packet that collects, carry out preliminary treatment and change into the form that is fit to this node machine.
(3) data after the conversion are sent local integrated invasion analysis engine, are detected by integrated detector.
(4) if testing result is normal (normal), then change (5); If unusual, then start the response alarm device, the local network invasion is found in warning, changes (6).
(5) the invasion analysis engine connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, then starts the response alarm device, and the local network invasion is found in warning, changes (6); If do not have, then think normal data, finish epicycle and detect, change (1).
(6) novel invasion sample transmitter will be attacked data sample and send to novel invasion sample receiver on B and the C, inform and find a kind of invasion here, change (1).
A collects novel invasion sample characteristics:
(1) the novel invasion sample receiver on the A receives the detected attack data of submitting to from collaborative request service broker on B, C or this machine, and data are submitted to integrated detector.
(2) integrated detector detects data, if testing result is also for attacking (attack), then process ends; Otherwise, enter (3).
(3) integrated detector connects invasion sample characteristics storehouse, and whether the attack signature sample with this Data Matching is arranged in the query characteristics storehouse, if having, and process ends then; If do not have, then think a kind of newfound invasion, enter (4).
(4) this characteristic storage of attacking sample in invasion sample characteristics storehouse.
A provides the collaborative service process that detects:
(1) the collaborative request service broker on the A receives suspection sample and the cooperation with service request that ai sends.
(2) service broker with the mode of broadcasting to all ordinary node a1, a2 that A was connected ..., am sends these suspection data and collaborative calculation requirement.
(3) service broker receives the result of calculation that all nodes that respond return, and submits to the cooperative intrusion analysis engine.
(4) cooperative intrusion analysis engine statistics service broker submits to the collaborative testing result of its each responsive node, to this suspect data if the quantity of node that is judged as attack more than or equal to the quantity num that is judged as normal node (attack)=num (normal), then be judged as attack, otherwise be judged as normal.
(5) the cooperative intrusion analysis engine returns judged result to the service broker.
(6) service broker checks the result who receives, if normal, then it is directly returned ai; If unusual, except the result is returned the ai, also will confirm as the data sample of attack and issue local novel invasion sample receiver, a kind of new invasion has been found in report.