The Research And Realization Of Network Intrusion Detection System Based On Improved WM Algorithm

With the rapid advancement of information technology, people communicate and share information has undergone enormous changes. In particular, the development of computer network technology to enable resource sharing computer network has been an unprecedented level of enhanced information processing and transmission of breaking completely out of time and geographical constraints, the information world of globalization and become an irresistible trend. People's daily lives become increasingly dependent on computer networks, but on the people to enjoy it a great convenience, but also gave rise to new security threats. As computer networks own shortcomings, and hackers on the open operating system and network security system in-depth study, may bypass conventional security system into the system. If a hacker to abuse of computer networks, will result in unpredictable consequences. Since the 90's into the last century, the area of network security intrusion detection technology are increasingly multifaceted concern.IDS (Intrusion Detection) technology in the field of network security play an important role, as opposed to static security pass firewall technology, defense technology, it is a dynamic proactive security technology. Intrusion detection is defined as "behavior, security or audit log data or other information available on the network to operate, the system detected the intrusion or intrusion attempts. The role of intrusion detection, including deterrence, detection, response, damage assessment, prediction and prosecution of attacks on support. intrusion detection technology is a computer system to ensure the safety of the computer network design and configuration of a technology. The technology can detect and report system, the phenomenon of unauthorized or unusual behavior is a for the detection of computer network security policy behavior in violation of the technology. Data source intrusion detection system and the general network data from the system data, therefore, in accordance with the source of the data source intrusion detection system can be divided into host-based intrusion detection system (Host-Based Intrusion Detection System, HIDS) and network-based intrusion Detection System (Network-Based Intrusion Detection System, NIDS) of two types.Host-based Intrusion Detection System (HIDS): Host-based Intrusion Detection System:an important host in the installation of intrusion detection program. The program is mainly to monitor the host system audit logs, system parameters, system configuration parameters and network connectivity, real-time situation.Network-based Intrusion Detection System (NIDS): Network-based intrusion detection system:the more important are generally deployed in network nodes in real time through the network nodes to capture all packets. Then for each signature packet extraction and matching rules inside the rule base. If the packet signature consistent with the rules of rule base. intrusion detection system to believe that an invasion and will issue a warning.IDS variety of packet analysis, therefore, in accordance with the data analysis methods and different detection mechanisms can be divided into the intrusion detection system intrusion detection system (Anomaly detection Intrusion Detection System, ADIDS) and misuse intrusion detection system (Misuse Detection Intrusion Detection System, MDIDS) of two types.Anomaly detection:assume that all intrusions and normal behavior are different, the establishment of the characteristics of normal activity profile, once the principal activities are contrary to the statistical law, the will be regarded as suspicious behavior. The key is the technology and features unusual choice of threshold. The advantage is that a new type of intrusion, the disadvantage is prone to false positives.Misuse Detection:assume that all intrusions and means (and its variants) are able to extract and expressed as a mode or feature, the system's main goal is to test whether the activities conform to these patterns or characteristics. The key is how to extract the model and express the invasion, the invasion of the real behavior and to distinguish normal behavior. Therefore, the expression of the invasion pattern extraction and direct impact on the degree of intrusion detection systems. Misuse detection technology advantage is fewer false positives, only drawback is that known attacks against the library, and its complexity will increase as the number of attacks increased.This article focused on network-based intrusion detection system (NIDS. Network-based Intrusion Detection System) and based on misuse detection (Misuse Detection) two in-depth research in the laboratory area network environment, based on Windows 7 operating system platform, reference to the open source network intrusion detection system-Snort's overall design concept, the realization of the concrete implementation of intrusion detection systems, including packet capture and analysis module, detection engine and log alarm output module detailed design and implementation.The intrusion detection system to improve the performance of the engine block, the paper also WM multi-pattern matching algorithm in-depth analysis and research. BM for the original classic single-pattern matching algorithm in intrusion detection system arising in the application of large-scale network data packets in processing efficiency is reduced when the lack of defects, this paper will be based on improved WM algorithm is used in the network intrusion Among the detection engine detection system, a move intended to improve intrusion detection system to process mass rule set the speed.WM algorithm is widely thought drawing the BM algorithm is designed, and multi-pattern matching for the specific design features to make some changes. Algorithm uses the hash (Hash) technology and highly efficient filtering method can effectively reduce the match conflict. Also used the prefix table to filter out the invalid pattern string is in the matching algorithm to further improve the efficiency of the process. To further improve the overall performance of WM algorithm, proposed in this paper the original three chapters of the WM algorithm, based on the table, adding Chapter Table-suffix table. This will filter out more invalid mode string, but also improve the algorithm's matching rate, reducing the matching time.