Abstract—With the development of computer networktechnology,the risk of network intrusion also has greatly increased.But the traditional Encryption and firewall technology can’t meet the security need today. So the intrusion detection technology is being developed quickly in recent years,which is a new dynamic security mechanism in a set of detecting, preventing the behavior of system intrusion.Unlike the traditional security mechanism,intrusion detection has many features such as intelligent surveillance,real-time detection,dynamic response and so on.And in a sense,intrusion detection technology is a reasonable supplement of firewall technology.Index Terms—network security,intrusion detectionI.THE N ECESSITY OF I NTRUSION D ETECTIONWith the development of computer network technology,the destructive effects and losses of network attacks also have greatly increased.The network security is becoming more and more complicated,the traditional and passive Encryption and firewall technology can’t against the diverse and complex attacks. Recently,intrusion is very easy to many computer competent,and there are many intrusion courses and tools.So it’s of great significance and necessity to develop the Intrusion Detection System.II.T HE DEVELOPMENT OF I NTRUSION D ETECTION S YSTEM In 1980,James P.Anderson wrote a book named “Computer Security Threat Monitoring and Surveillance”,which explained the concept of Intrusion Detection in detail ,the threat classifications of computer system and the idea of monitoring intrusion activities using auditing tracking data.From 1984 to 1986,Dorothy Denning and Peter Neumann worked out a real-time Intrusion Detection System model--IDES.In 1990,L.Heberiein and some other people developed NSM(Network Security Monitor),which made a great development of IDS and has formed IDS based on network and IDS based on host computer.After 1988,America began to study DIDS(Distributed Intrusion Detection System),which became a milestone-product of the history of IDS.From 1990s to now,the research and development of Intrusion Detection System has made great process in intelligence and distribution.III.DEFINITION AND WORK-FLOWA.DefinitionIntrusion Detection is the discovery of intrusion behaviors.It collects and analyses the data from some key points in computer networks or computer systems,and checks up whether there exists behaviors violating security policies or attacking signs in networks or systems.Then,it can sound the alarm or make corresponding response in time to ensure the confidentiality and availability of system resource.B.Work-flow1)Information GatheringThe first step of intrusion detection is information gathering.And the information include the contents of network traffic,the states and behaviors of the the connection of users and activities.2)Signal AnalysisFor the information gathered above,there are three technologies to analyze them:pattern matching,statistical analysis and integrity analysis.3)Real-time Recording,Alarming and Limited Counterattack The fundamental goal of IDS is to make corresponding response to the intrusion behaviors,which includes detailed logging,real-time alarm and limited counterattack resource.IV.G ENERIC M ODEL AND F RAMEWORKA.The Generic ModelIn 1987,Denning proposed a abstract generic model of intrusion detection. In figure 1 below,the model mainly consists of six parts:subjects, objects, audit records,activity profiles,exception records and activity rules.Intrusion Detection in Network SecurityZhang San 201221xxxxMaster of Computing, xxx xx xx University,Wuhan,China**************figure 1B.The FrameworkIn recent years,the market of intrusion detection systems develops very quickly,but the lack of the universality of different systems hinders the development of intrusion detection ,because there is no corresponding general standard. In order to solve the universality and coexistence problem between different IDS,America Defense Advanced Research Projects Agency(DARPA) started to make CIDF (Common Intrusion Detection framework ,the common intrusion detection framework) standard,and they tried to provide a fundamental structure which allows intrusion detection,analysis and response system.Finally the security laboratory in the University of California at Davis completed CIDF standard.The main purpose of the framework is:1)IDS component sharing, that is a component of the IDS can be used by another IDS.2)Data sharing,that is,all kinds of data in IDS can be shared and transferred between different systems by the standard data format provided.3)To improve the universality standards and establish a set of development interface and support tools.The CIDF expounds the generic model of a intrusion detection system,it will classify a IDS into the components below:a)Event GeneratorsGetting events from the whole computing environment and providing them to the other parts of the system.b)Event AnalyzersAnalyzing the data obtained and producing the analytic results.c)Response UnitsIt is the functional unit which responses to the analytic results.It can make a strong reaction such as cutting off the connection or changing the attribute of files,or just a simple alarm.d)Event DatabasesIt is a collective name of the place where all kinds of data is stored.It can be a complex database or a simple text file.V.T HE CLASSIFICATION OF INTRUSION.A.Intrusion Base on the HostUsually,it makes use of the operating system audit, track log as a data sources,for detecting intrusion,some will also interact with the host system to get the information that doesn’t exist in the system log.This type of detection system does not need additional hardware.It's insensitive to network traffic and have high efficiency,and it can accurately locate the invasion and respond in a timely manner.However,it will occupy the host resources and rely on the reliability of the host.At the same time it can only detect limited types of attacks.Also,it can't detect network attacks.B.Intrusion Base on the NetworkBy passively listening to the transmission of the original traffic on the network,it processes the network data and draws useful information from it,and then recognizes attacks by matching with the known attack signatures or being compared with the normal network behavior prototype.Such detection system does not rely on the operating system as detection resources,and can be used to different operating system platforms. It equips with simple configurations and does not need any special auditing and logging mechanism.And it also can detect protocol attacks, the attacks of specific environment and so on.But it only can monitor the activities after the network ,and cannot get the real-time status of the host system which shows its poor accuracy.Most of the intrusion detection tools are based on the network intrusion detection system. C.Di stributed IntrusionThis kind of intrusion detection systems are generally distributed structure, composed of multiple components,which using intrusion detection based on the host on the key hosts while using intrusion detection based on the network on the network key point.At the same time,it analyses the audit log from the host system and the data traffic from network to detect whether a protected system is attacked.Thees three kinds of intrusion detection systems above have their own advantages and disadvantages,they can complement each other.A complete intrusion detection system (IDS) must be a distributed system based on the host and the network,but at present there is no perfect IDS system as a model.As a matter of fact,the commercial products is rarely based on only a kind of intrusion detection model.The intrusion detection system implemented in different structure and different technique have different advantages and disadvantage ,and each of them can be only used to a particular environment.VI.THE METHODS OF I NTRUSION D ETECTIONAt present,there are many methods of intrusion detection in IDS.There are some common methods below:A.Statistical MethodThe statistical method is a commonly used method of intrusion detection system in production.And it is normally used to Anomaly Detection.The statistical method is a relatively mature intrusion detection method ,it makes the intrusion detection system identify the abnormal activities which are different from the normal activities by learn their main daily behaviors.B.Expert SystemUsing the expert system to detect the intrusion is usually aimed at the diagnostic intrusion.The so-called rules,that isknowledge.the establishment of expert system depends on the Completeness of the knowledge base,and the Completeness of the knowledge base depends on the completeness and real - time of the audit.C.Keystroke MonitorKeystroke Monitor is a simple method to detect intrusion by analyzing the pattern of users' keystroke sequence.It can be used to the intrusion detection based on the host.The disadvantages of this technique is very obvious.To begin with,the batch processing or the shell program can directly call attack command sequence instead of keystroke.Secondly,the operating systems generally do not provide keystroke detection interface,so it need extra hook function to monitor the keystrokes.D.Model-based MethodThe attackers often use a certain behavioral sequence in attacking a system such as guessing the password,this kind of behavioral sequence forms a model with a certain behavior syndrome.According to this,it can detect harmless attack attempts.The advantage of this method lies in its sound uncertainty reasoning.Model-based intrusion detection method can monitor only some of the major audit event, after these events,it will start to record detailed audit, so as to reduce the processing load of audit events.E.Pattern MatchingThe intrusion detection method base on pattern matching encodes the known intrusion feature into the pattern which coincides with the audit records.When the new audit event occurs,this method will find the matched intrusion pattern.VII.I NTRUSION D ETECTION T ECHNOLOGY Intrusion Detection Technology is one of the kernel technologies in security auditing,which is also an important component of the network security protection.There are two main techniques of intrusion Detection--Anomaly Detection and Misuse Detection.A.Anomaly DetectionAnomaly Detection can be classified into static Anomaly Detection and dynamic Anomaly Detection. Static Anomaly Detection retains a character representation or backup of the static part of the system.When the static part of the system is different from former character representation or backup during a detection, it turns out that the system was attacked.What the dynamic Anomaly Detection aims at is the behavior.A kind of the files which describe the normal behaviors of systems and users should be established before the detection. When the difference between the current behavior and the normal behavior recorded in the files exceeds the predefined standard,it turns out that the system was attacked.B.Misuse DetectionThe following list outlines the different types of graphics published in IEEE journals. They are categorized based on their construction, and use of color / shades of gray:Misuse Detection is mainly used to detect known measures of attack,which can judge whether the user’s behavior matches with the measure of attacks in the character lib.Obviously,Misuse Detection is of high accuracy.And its shortcomings also because of this feature.With the fast development of attack models,only if we add new models into the character lib can it make the system detect new measures of attack.VIII.T HE ARCHITECTURE OF INTRUSION DETECTION Throughout the history of the development of intrusion detection technology, the architecture mainly consists of the following several forms:A.Integrative StructureIn the early development of intrusion detection system,IDS uses mostly single architecture.That is,all the work,including the collection and analysis of the data,are completed on a single host by a single program.The advantage of this technique is that the centralized processing of data makes it more accurate to analyze possible intrusions.The disadvantages is that the centralized processing of data makes the host a bottleneck of network security.When it fails or is attacked,there will be no guarantee for the whole security of network.In addition,this way of data gathering is very difficult to achieve for large network.The drawbacks of concentrated Intrusion detection system mainly lie in:1)Poor expansibility.Processing all the information on a single host limits the scale of monitored network2)Hard to reconfigure and add new features.The IDS usually needs to be restarted when it needs to give effect to the new settings and functions .3)Central analyzer is a single fail-point.If it is destroyed by invaders,then the whole network will lose the protection.B.Distributed StructureWith the development of intrusion detection products applied to the enterprises day by day,distributed technology also integrates into the intrusion detection products.This kind of distributed structure uses the method that multiple agents separately detect intrusion in various parts of the network,and process the possible intrusions.Its advantage is that it can monitor data well and detect the internal and external intrusion behavior.But this technology cannot completely solve the shortcomings of the centralized intrusion detection.Since the current network is generally hierarchical structure,but the pure distributed detection requires that the agent distribution should be in the same layer.If the layer is too low,it cannot detect the intrusion aimed at the upper layer.If the layer is too high,it cannot detect the intrusion aimed at the lower layer.At the same time ,since each agent doesn't have the whole cognition of network data,so it cannot accurately judge some certain attacks and is easy to be attacked by attacks aimed at IDS,such as IPsegmentation .C.L ayered StructureBecause the restriction of single host resources and the distribution of attack information,many detection units should be processed together in high-layer attacks.But the detection unit is generally intelligent agent.Therefore the architecture of recent intrusion detection begins to think about using layered hierarchical to detect intrusion which is becoming more and more complex,as shown in Figure 2.Figure 2In this kind of system,the lowest layer agent is responsible for the collection of all the basic information,and then it simply processes these information and complete simple judgment and processing.Its characteristics are fast speed, high efficiency and large data volume,but it can only detect some simple attacks.The middle layer agent is a link between the one before it and the one after it. On the one hand,it can accept and process the data processed by the lower nodes.On the other hand,it can contact with upper layer,judge and output the results to the upper nodes which enhances the scalability of the system.The top node is mainly responsible for the management and coordination on the whole.In addition,it can dynamically adjust the node layer figure according to the requirement of environment in order to implement the dynamic configuration of the system.IX.THE DEVELOPMENT DIRECTION OF INTRUSION DETECTION With the rapid development of network technology, intrusion technology also has developed day by day.The switching technology and the data communication through encrypted channels make the methods of network data gathering defective.Moreover the huge traffic brings new requirement for data analysis the development direction of intrusion detection technology mainly include the following: A.Distributed Intrusion Detection ArchitectureThe traditional IDS is limited to a single host or network architecture,but for the heterogeneous system and large scale network detection is obviously insufficient,and different IDS systems cannot work together.Therefore, it is necessary to develop distributed intrusion detection architecture.B.Application Layer Intrusion DetectionMany semantics of intrusion detection only can be understood by the application, but the current IDS can only detect the general protocol such as Web,it can not deal with other application systems such as Lotus Notes, the database system.C.Intelligent Intrusion DetectionIntrusion methods become more and more diversified and comprehensive,although there are the intelligent body,neural network and genetic algorithm which applied in intrusion detection technology now,but these are just some tentative research work,we still need further research on the Intelligent IDS to improve its abilities.D.The Auto-protection of Intrusion Detection SystemOnce the intrusion detection system is controlled by invaders,the security of the whole system will face the danger of collapse.So how to prevent invaders from undermining the functions of intrusion detection system will continue for a long time.E.The Evaluating Method of Intrusion DetectionThe user needs to evaluate many IDSs, the evaluation indexes include the IDS detection range,the occupation of the system resources and the the reliability of itself.Designing the stage for evaluating or testing the IDS to implement the detection of various IDS systems has been called another important research and development field of the current IDS.X.C ONCLUSIONWith the network security issues have become increasingly salient,the development of intrusion detection has greatly increased ,and it has already begun to play a key role in various environments. Predictably, the development of intrusion detection technology has important significance and profound influence for network application.And the future development direction of IDS will be intelligent distributed intrusion detection system.How to develop self - owned intellectual property IDS will become an important task in the field of information security for China.R EFERENCESJournal Article:[1]YanHua Wang,ZhiQiang Ma and Lu Zang,”The Application andResearch of the Intrusion Detection Technologies in Network Security ”.[2]Ran Zhang,”The Research of the Intrusion Detection Technologies ”.[3]Fei Feng,”The Network Security and Intrusion Detection ”. Reference Website:/view/20936.htm?adapt=1。