隨著網路的發展的迅速及普及，現今社會已經跟網路不可分離了，使得各種網路攻擊或入侵行為造成的威脅及危害也相對顯的嚴重。因此，網路安全設備早已成為在部署網路時的必要設備之一。在這些網路安全設備中，入侵偵測系統主要負責各種攻擊、入侵、及不正常行為的偵測，而在入侵偵測系統中，又以特徵比對的入侵偵測系統較為普遍且能達到不錯的偵測率。然而，隨著攻擊種類以及入侵方式的增加，特徵比對的入侵偵測系統必須相對的持續增加自己的比對規則。隨著比對規則的增加，系統必須使用更多的硬碟空間及記憶體來儲存這些比對規則，由於要比對的規則變多，比對速度也可能因此下降，並可能造成系統CPU的負擔。
因此在本篇論文中我們提出並實作出一個藉由網路拓撲資料來減少比對規則的方法，並藉此方法設計一個分散式入侵偵測系統架構，在整個系統環境中，各入侵偵測系統的數量及分佈使比對規則的總合以及平均的比對規則數能取得一個平衡。最後，我們執行數個實驗來評估並驗證我們的系統。測試的結果證明，本系統能在偵測率僅下降些許的情況下減少大量與環境無關的比對規則，有效的減輕入侵偵測系統的負擔並延長其使用壽命。

With the rapid development and popularization of Internet, people get mort rely on Internet; today, no matter the industry, commerce, government, military or even individual is inseparable form network, which makes the damage and threat of attack or intrusion behavior become more noticeable. Therefore, the network security devices become the essential devices when deploying the network. One of these security devices, Intrusion Detection System, is used for detecting all kinds of attacks, intrusion behaviors, and anomaly behaviors; and among various IDS, signature-based IDS is the most common IDS, besides, it also has high detection rate. However, with the increase of attack types and intrusion methods, the signature-based IDS must increase its detection rules to avoid false negative. While the detection rules increase, the system must consume more memory and hard disk space to storage the detection rules, besides, the detection time increases and the CPU may also overloads.
For the reason above, we proposed and implemented a system to reduce the rules by network topology data, and by this system, we designed a distributed intrusion detection system architecture which the amount of each IDS should be less and the average detection rules for each node should be less, too. Finally, we evaluated and verified our system by several experiment, and the results showed our system can reduce a lot of unrelated rules without much false negative increasing.

[1] Bleeding Edge, http://www.bleedingsnort.com/
[2] Cooperative Association for Internet Data Analysis (CAIDA), http://www.caida.org/home/
[3] Defense Advanced Research Projects Agency (DARPA), "RFC 793 - Transmission control protocol", [Online]. Available: http://www.faqs.org/ftp/rfc/pdf/rfc793.txt.pdf, 1981.
[4] Graphviz, http://www.graphviz.org/
[5] The Internet Engineering Task Force (IETF), "Requirements for IP version 4 routers", [Online]. Available: http://www.ietf.org/rfc/rfc1812.txt?number=1812, 1995.
[6] NMAP, http://insecure.org/nmap/
[7] Nessus, http://www.nessus.org/
[8] Ping, http://en.wikipedia.org/wiki/Ping
[9] Snort, http://www.snort.org/
[10] J.P. Anderson, "Computer security threat monitoring and surveillance", Technical Report, 1980.
[11] O. Arkin and F. Yarochkin, " Xprobe v2.0: A fuzzy approach to remote active operating system fingerprinting", [Online]. Available: http://www.sys-security.com/archive/papers/Xprobe2.pdf, August 2002.
[12] A. Aho and M Corasick, "Efficient string matching: An aid to bibliographic search", Communications of ACM 18, pp333-340, June 1975.
[13] R. Beck, "Passive-Aggressive resistance: OS fingerprint evasion" Linux Journal, 2001.
[14] R.S. Boyer and J.S. Moore, "A fast string searching algorithm", Communications of ACM, 20(10):762-772, 1977.
[15] B. Caswell and J Hewlett, "Snort users manual", [Online]. Available: http://www.snort.org/docs/snort_htmanuals/htmanual_261/, 2006
[16] Y.K. Chan, H.W. Chan, K.M. Chan and P.S. Chan et al, "IDR: an intrusion detection router for defending against distributed denial-of-service (DDoS) attacks", Proceedings of the 7th International Symposium on Parallel Architectures, Algorithms and Networks, 2004.
[17] J.D. Case, M. Fedor, M.L. Schoffstall and C. Davin, “A simple network management protocol”, RFC 1157, 1990.
[18] D.E. Denning, "An intrusion detection model", IEEE Transaction on Software Engineering, 1987.
[19] Fyodor, "Remote OS detection via TCP/IP Stack FingerPrinting", [Online]. Available: http://insecure.org/nmap/osdetect/, April 1999.
[20] F. Gao, J. Sun and Z. Wei, "The prediction role of hidden Markov model in intrusion detection", IEEE Electrical and Computer Engineering, 2003.
[21] E. Gansner, E. Koutsofios and S. North, "Drawing graphs with dot", [Online].Available: http://www.graphviz.org/Documentation/dotguide.pdf, January 2006.
[22] B. Huffaker, D. Plummer, D. Moore and k. claffy, “Topology discovery by active probing”, in Proc. Symp. App. Internet, January 2002.
[23] L.T. Heberlein, "A network security monitor", Symposium on Research in Security and Privacy, 1990.
[24] K. IIgun, "USTAT: A Real-Time intrusion detection system for UNIX.", IEEE Security and Privacy, 1993.
[25] V. Jacobsen et al, “Traceroute UNIX”, [Online]. Available: ftp://ftp.ee.lbl.gov/traceroute.tar.gz, man page, 1989.
[26] V. Jacobson, R. Braden and D. Borman, “TCP extensions for high performance”, RFC 1323, May 1992.
[27] S. Kumar and E.H. Spafford, "An application of pattern matching in intrusion detection", Technical Report 94-013, March 1994.
[28] J. Kim and P. Bentley, "The artificial immune model for network intrusion detection", 7th European Conference on Intelligent Techniques and Soft Computing, 1999.
[29] D.Q. Liu and Q.H. SUN, "Intrusion detection method on genetic algorithm and neural network", Laser Journal, 2005.
[30] B. Mukherjee, L.T. Heberlein and K.N. Levitt, "Network intrusion detection", IEEE network May/June, 1994.
[31] J. Postel, “Internet control message protocol”, RFC 777, 1981.
[32] J.S Sherif and T.G. Dearmond, "Intrusion detection: systems and models", IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETIC), 2002.
[33] F. Steve, "nbtscan - NETBIOS nameserver scanner", [Online]. Available: http://www.unixwiz.net/tools/nbtscan.html
[34] A.Valdes and D.Anderson, “Statistical methods for computer usage anomaly detection using NIDES”, Technical Report: SRI International, January 1995.
[35] S. Wu and U. Manber, "A fast algorithm for multi-pattern searching", Technical Report, May 1994.