Research And Design Of IDS Based On IPv6

The research and application of IPv6 protocol which was designed to overcome the defects of IPv4 protocol has become more and more popular. And the network security of IPv6 has become a new research hotspot. As an effective security protection technique, Intrusion Detection technique always gets the favor of people,but there is still no mature IDS products under IPv6 network, so the research of IDS based on IPv6 has important theoretical and practical application significance.This thesis analyzes the IDSs in IPv4 network, summarizes the character of security in IPv6 network, and designs a new structure of IDS for IPv6 network, named Mixed IPv6 Intrusion Detection System, abbreviation is Mv6IDS. This scheme includes IPv6 protocol analysis technology, mixed system, and rule based feature matching intrusion detection technology. The main research contents of this thesis as follows:1. For host-based intrusion detection system and network-based intrusion detection system both have shortcomings, for example, the former only monitor the protected the host itself, and the latter only detected known intrusions. This paper designs a distributed framework which based on the combination of hosts and network. It is not only able to detect the attacks in network, but also able to detect the abnormal situation from system logs.2. Misuse detection technology is powerless to detect new intrusion and easy to happen omission. Anomaly detection technology relies on the log of the system's normal work too much and easy to happen misstate. According to the complementarity of the two technologies above, this paper adopt a mixed detection method with both anomaly and misuse detection to improve the recognition rate of the intrusion.3. For the existing Intrusion Detection System under IPv6 can't handle the packet which encrypted by IPSec protocol'ESP, this paper gives a solution to detect the ESP encrypted IPv6 Packets. Based on the IPv6 protocol analyzes, this paper designs DecodeESP function and the key management, then add them into Snort protocol analysis module. Due to decryption the data, the communications hosts need to transmit the declassified document, so the solution mainly used in host-based intrusion detection system and this paper add it in HIDS subsystem to implement. By the way, the implement of the system designs in this paper is based on the improvement of open source software--Snort.4. To overcome the lack of detecting efficiency of Snort's rules matching algorithm, improved method of Boyer-Moore algorithmic is proposed. Through adding a step of matching the next byte of data string, the improved algorithmic raises the offsets when the string is matching up, so as to enhance the efficiency of matching. And the algorithmic is implemented in detection engine modules successfully.In summary, Mv6IDS of this paper is constituted by NIDS subsystem, HIDS subsystem, monitoring platform subsystem, response subsystem and firewall linkage subsystem. Theoretically it improves the efficiency of detection, reduces the rate of false positives and the rate of fail, detect the encrypt data under the IPv6, and enhance the performance in security and defense (Firewall linkage etc.). This thesis implements the NIDS subsystem, HIDS subsystem, and response subsystem. The experiment shows that the system can detect IPv6 network's attack and respond to it, improves the efficiency of detection to compare with the original Snort system, and also can detect simple IPSec encrypted packets. This thesis provides a certain reference value to further research of the intrusion detection technology in IPv6 network.