| The network security is a systemic concept. An effective security tactics or scheme is the primary goal of network security. The technology of the network security mainly includes the authentication, the data encryption, access control, security audit etc. Intrusion detection technology is one of the key technologies of security audit, and an important component of network security. As one active network security technology, Intrusion detection provides protection from the attacks inside and outside, or the misoperation in real time. It can monitor the network in case of not influencing performance of the network, and improve the integrality of the infrastructure of network information security. In this thesis, the concept and classification of IDS are introduced at first, and the significance of the IDS in the network security is indicated. The existing problems of IDS are discussed briefly at the same time, It is the key point of improving performance of system to improve the speed of analysis network data packet. According to CIDF (Common Intrusion Detection Framework), the NIDS is designed. The system mainly include 5 moulds: rule analyze module, data capture module , data analysis module , respond module and logging module. In the regular part of the NIDS, the classical regular describe language of snort is used for reference. This describe language, which is simple, flexible , easy to expand, and powerful, can describe most invasion behaviors. In data capture module, the WinPcap that especially designed for monitor data in application program is used for capture network data. The mechanism of BDF filter and a lot of function built-in kernel not only can enhance the monitor efficiency but also reduced the difficulty of development. And because the WinPcap was transplanted over from LibPcap on UNIX platform, they have the same interface, which reduced the difficulty of developing network agent program on different platforms. In the data analysis module, the protocol analysis technology is adopted. It detects the attack fast, according to the super regularization of the protocol. Thus, the analysis efficiency is improved, and the misinformation by the only simple pattern match is prevented. As the key point of this thesis, the pattern match algorithm in the detect engine has been discussed emphatically in this module. By comparing with simple pattern match algorithm, such as BF, KMP, BM, BMH, etc, and studying Multi-patter match WM algorithm, an optimization algorithm which combines the simple pattern match and the Multi-patter match and suits for the system is finally designed to improve the performance of system greatly. The real applicable products are not achieved yet, but the design and its fruit of the NIDS make the system have the basic function of intrusion detection. And there is a great improvement in data analysis efficiency compared with the traditional NIDS.
|
PDF Full Text Request