Research And Implementation Of High-speed Network Security Monitoring System

With the development of computer network, problems of network security have become increasingly prominent, and network intrusion has become more and more serious. Currently, there are no effective means for locating and confirming the intrusion events that have happened, and it is difficult to block network attacks and form powerful determent for network attacker. In this circumstance, information systems for government and national defense have an urgent demand for monitoring network security. Current network security monitoring system is of deficient in high-speed packets capture and massive alert analysis, so there is an urgent demand for new High-speed Network Security Monitoring System (HNSMS) to monitor the high-speed network.High-speed packets capture and alert fusion are the core technologies of network security monitoring, it is the base for analysis, warning and counterattack of network intrusion. The thesis focuses on two core problems in HNSMS: high-speed packets capture and alert fusion, and it aims at making four major contributions:Firstly, a general design of HNSMS according to the characteristics of high-speed network security monitoring is put forward, and some useful ideas are presented, such as key points capture, detachment of intrusion detection and storage, separate storage of file system and data base. The system effectively resolves the capture, storage and analysis of high-speed packets, and it has the advantage of efficient, transparent, robust and scalability.Secondly, a sub-system for capture and storage of high-speed packets according to the rapid increase of network traffic is designed and implemented. The system effectively improves single PC's packets capture ability by means of zero copy, and applies a load balance algorithm based on detachment field. The algorithm can ensure the integrality of TCP stream on the premise of load balance, and thus decrease the false negative of intrusion detection system.Thirdly, an analysis system is designed and implemented, and a visual model for alert fusion is also presented and implemented. The model can better resolve problems of management of alerts, false positive and false negative. Afterwards, an algorithm for evaluation of attack severity alert based on alert fusion is presented.The final contribution of the thesis is the performance test of packets capture, data loading and alert fusion. Testing results show that length of packet is the main factor of packets capture. The system adopts batch loading of SQLLDR which is provided by Oracle client to improve the speed of data loading, and adopts alert fusion to decrease false positive greatly.The part of production in this paper has been applied into "the Network Intrusion Detection, the Warning and the Security Management Technology" (863 Project), which lays the foundations for the successful examination of this project. The system has the advantage of efficient, transparent, robust and scalability.