A network intrusion detection system with the snooping agents

In order to increase the protection ability of the network intrusion diction system (NIDS), it is important to gather the host information of the intruder. In the proposed IDS called NIDS-SA, three basic components are developed to support the active monitoring capability, Intrusion Detection Node (IDN), Intrusion Detection Coordinator (IDC), and Snooper Agent (SA). The IDN is used to capture packets, de-multiplex packets, detect local intrusion and infer intrusion. The IDC is installed in an administration workstation for communicating and managing IDNs, it can also do the intrusion detection and intrusion inferring. The RA consists of several snoop functions for information gathering. After an attack behavior is detected, the RA may launch some kinds of information gathering functions to the attacker, so that the proposed NIDS-SA has the active snoop ability. Furthermore, NIDS-SA includes the functions of the pattern matching and statistical inference. To ensure the secure communication ability between IDC and IDNs, the cryptography-based mechanisms are applied in the design phase of the proposed NIDS-SA. An intrusion detection experiment is carried out in our campus to simulate the real attack scenarios and validate the performance of NIDS-SA.