摘要： 提出了一个分布式入侵检测与响应协作模型。在该模型中，设计了协作代理，负责对来自于各入侵检测代理的检测结果进行关联分析，并结合从其它域的协作代理收到的报警消息来检测复杂的入侵行为。扩展了IDMEF 消息交换格式，使用XML 文档来表示各入侵检测部件间交换的消息，协作代理间通过XML 消息交换来实现协作。提出了怀疑度的概念，将发现的所有可疑的和入侵行为都报告给监控部件，以便及时进行隔离和监控。

关键词: 入侵检测；协作；代理；XML；DOM

Abstract: A distributed intrusion detection and response cooperation model is proposed. In the model, cooperation agents correlate the detection results from the detection agents and cooperation agents of other domains to detect complex intrusions. To facilitate the communication between different components, the intrusion detection message exchange format is extended and applied to represent the messages exchanged among the intrusion detection components. In addition, cooperation agents cooperate with one another by exchanging XML messages. A new concept of suspect, which indicates the suspected degree of an activity, is proposed and all the suspected activities and intrusions detected are reported to the monitors for isolation and monitoring.

Key words: Intrusion detection; Cooperation; Agent; XML; DOM