Multi-Tier Intrusion Detection System

There have been many different intrusion detection approaches, but none has been accurate enough to avoid false negatives and false positives. In this paper we propose a novel approach to more precisely deter mine whether or not an intrusion has happened. In this approach different intrusion detection techniques are smoothly integrated. This integrated system consists of a number of detectors, each sitting on a specific tier and employing a different intrusio n detection method. A detector has three main components: a consumer, a filter and a producer. The consumer collects signaling events from detectors at lower tiers or primary event sources and forwards them to the filter. The filter amplifies the intru sion signal and reduces the noise, and exports the resulting signaling events to the producer. From the producer, these signaling events are further exported to detectors at higher tiers, or directly to system administrators. This multi -tiered structure makes it possible to refine chaotic information from primitive sources from the bottom up, until system administrators on top finally receive a clear signal (if an intrusion does happen). This system is extensible a new detector, thus a new intrusion detec tion technique, can easily be incorporated by following interface specification for detector interaction. It is also configurableeach detector can configure its own policy by following internal detector interface. Finally, as long as communication authe nticity and secrecy between detectors can be guaranteed, this system can be readily distributed over multiple machines and geographic areas, further facilitating to detect intrusions that cross a wider area.