Study About Intrusion Detection System On The Basis Of Protocol Analysis

The protocol analyses that it is a relatively advanced information detection technique at present to proceed from the peculiar regularity of network communication protocol. It has overcome some fundamental defects of the traditional pattern match technology, and it is a research focus in the Intrusion Detection field. This thesis made a study on Network Intrusion Detection by the protocol analysis technology. According to the reality of invasions in the LAN, the thesis made a Intrusion Detection System which detects the acts of invading what appear relatively frequently in this LAN on the basis of the protocol analysis technology.This thesis realized the part of data collection of Intrusion Detection System by the network monitor technology in the environment of Ethernet, and carried out the part of information detection by the protocol analysis technology, and achieved the part of dealing with the result by giving the alarm.There are three kinds of invading and attacking action in this thesis, they are the model of using HTTP, the model of using TCP, and the model of using ICMP. In the invading and attacking actions of using HTTP, the targets studied are the URL address cheating actions of using and reusing HEX code. In the invading and attacking actions of using TCP, the targets are the actions of TCP SYN Scanning and TCP SYN Flooding. In the invading and attacking actions of using ICMP, the targets are the actions of Ping Scanning, Ping Stealth Scanning, Smurf Attacking and Stealth Port Scanning.The results show that: (1) In the invasion activities of hacker's utilizing HTTP, the address cheating behavior is general for it can avoid the detection of IDS. But this kind of invasion cannot avoid the detection of IDS using the protocol analysis technology. (2) In the invasion activities of hacker's using TCP, the actions about scanning and Denial of Service utilizing the three-handshake protocol are general. The characteristics of the actions are dynamic for its lie on a series of packets from beginning to end. So the IDS using the traditional pattern match technology cannot detect these actions effectively, but the IDS using the protocol analysis technology can do its. (3) In the invasion activities of hacker's utilizing ICMP, the actions usually use ICMP messages of Echo Reply, Echo and Destination Unreachable for scanning or Denial of Service. According to the encapsulation and the protocol regularity of Network Protocol, the IDS using the protocol analysis technology detect accurately and fast these intrusion.In a word, the protocol analysis technology has improved the detecting speed of IDS, reduced the consumption of the system resource, decreased the frequency of misinformation and gotten obvious improvement in performance.