SIGNATURE GRAPH HYBRID INTRUSION DETECTION SYSTEM

摘要

A signature graph hybrid IDS is provided to analyze intrusion by automatically storing information about attack to a log file, classifying contents of the log file into each signature, storing the classified signatures a database, and comparing the signature of the newly inputted attack with the signatures stored in the database. A DCM(Data Collection Module) collects audit data by capturing data in the network. An ADGM(Audit Data Generation Module) generates the audit data capable of determining intrusion by analyzing the collected audit data. An IDSGM(Intrusion Detection Signature Generation Module) generates an intrusion detection signature by separating the audit data into an alert and log event. An ATES(Algorithm Transforming the Existing Signature) generates the intrusion detection signature for similar or mutative intrusion based on the generated intrusion detection signature. An SGGM(Signature Graph Generation Module) makes a signature graph by analyzing correlation between the classified signatures. An information database determines the intrusion if a connection event is not agreed with the audit data stored in the information database by linking with an analysis engine, and issues the alert to a manager through a response module.