The Design And Implementation Of An Adaptive Network Intrusion Prevention System

Compared with traditional network safety program consisting of firewalls and intrusion detection system, intrusion prevention system (IPS) can provide active real-time security protection, automatically block the data on various types of offensive flow in real time, especially the application-level threats, and thus build up dynamic security protection system. But it also should be noted, IPS may be potential network bottlenecks, so research for improving system performance is undoubtedly important. At present, most of the study of IPS performance optimization method is committed to the improvement of detection data, but the information provided by protected subnet has not got good use.Firstly, the thesis proposes a design mode of Network Intrusion Prevention System (NIPS), whose main feature is the function of adaptive learning response, manifested in two aspects:(1) Automatically learn the characteristics of the protected subnet information, such as operating system type and IP address mapping, as a way to dynamically select the rule set, reducing the processing time of single data packet, to improve system performance; (2) After the intrusion is detected, automatically take the appropriate blocking measures, which is cancelled when the predetermined aging time ends. It makes the system still maintain a stable network performance in case of high speed of attack traffic.Secondly, based on the design model above, the thesis provides the implementation of an NIPS program, which uses the Linux operating system as a platform, combined with Netfilter/Iptables firewall and Snort intrusion detection system, not only to achieve the basic function of real-time attack packets blocking, but also to achieve the function of the adaptive response and learning. The system is deployed in the boundary points between the inside and outside networks in series, and works in transparent bridge mode, which does not affect the existing network topology. Experimental results prove that compared to ordinary NIPS this system greatly enhanced data packet processing speed.