The Analysis, Compare And Improvement Of Detection Method Of Network Intrusion Detection System

With the rapid development of computer and network, when more and more company and user surf Internet, network security becomes an unavoidable problem people have to face. Firewall is the first line of defense traditionally. Now single firewall can' t protect network security in that hacker have more and more enriching knowledge and evasion tool and means become more and more complex. It is necessary to adopt a deep and multiplex method. Under this background, intrusion detection has been an active research field at all times since 1980' s. As one important component of detecting illicit activities it aims at computer and network and preventing them from destroying, Intrusion Detection System was born.Because network is developing with unbelievable rate and network technology change quickly, large-scale network and lOOOMbps ethernet appear. Current NIDS can hardly catch up with the speed of network so that conventional detection method face to serious challenge.First, model, constitutes, category, trend and problem of IDS is presented, and then pattern match which is applied widely is introduced from the aspect of theory and technology. Principle and performance data of three pattern match algorithms such as BM, BMH and AC_BM are discussed in detail. Previous two algorithms are realized by programming. Further it takes example for snort, the problem and bottleneck of pattern match is proposed by analyzing. Subsequently two new algorithms that can mend the problem are presented. The first one is a preprocessing algorithm that can reduce the time of superfluous compare. The second improved algorithm uses bitwise techniques and it adopts the bad character rule of BM algorithm. The algorithm is very rapid in practical running.Pseudo-code of these two algorithms is brought forward.Secondly, the thesis discusses protocol analysis that is the 3rd generation intrusion detection technology. The theory of protocol analysis is listed. By explaining the course of Nimda virus evades computer and server, it shows the reason why protocol analysis can detect Nimda virus. Afterwards it lists the advantage that pattern match can' t have.At last, these two means-pattern match and protocol analysis are contrasted from multi-angle and multi-level in the face of immoderate dispute of intrusion detection field. It gets a conclusion by analyzing calmly and generalizing objectivity finally. At the end of this thesis, according to the trend of NIDS a model is brought forward which is adapting to current conditions. This model suggests integrating two detection methods into NIDS so that it can show their own advantage and detect intrusion.