Research And Implementation Of Embedded Intrusion Prevention System

The rapid development of the Internet enriches social wealth and makes life more convenient, meanwhile the security problem is getting increasingly serious. Especially in the context of huge fusion between the Internet and the real-life, black industry chain obtains illegal gains through network attacks and thus impedes the real-life. Therefore, researchers are putting more focus on security technologies. Intrusion prevention is an emerging network security technology which developed mainly from intrusion detection and combined with traditional firewall. Intrusion prevention uses active network security model to carry out protection, which can overcome the limitation of static protection and passive detection.According to the requirement of following model design, a new alert analyzing algorithm is proposed in this paper to improve the typical algorithms respectively based on alert similarity and statistical causality analyzing. This algorithm introduces alert classification instead of alert prioritization to reduce dependency on priori knowledge and simplify casual analysis.Considering the principle of defense-in-depth, a distributed intrusion prevention system model named EBDIPS is studied and implemented in this paper to meet the dynamic protection requirements of small and medium-sized network environment. Firstly in the design of prevention mechanism, linkage and built-in prevention mechanisms are combined to form a two-tier architecture; secondly in the design of detection mechanism, we defines intrusion, suspicious and normal three event types to avoid low-availability may caused by false positives. Built-in prevention is implemented by embedded prevention unit which distributed on each host front-end, the embedded prevention unit is responsible for detecting network traffic in and out of a host, blocking the intrusion and raising alerts for the suspicious. Linkage prevention is implemented through applying alert analyzing algorithm which aggregates similar alerts and rebuilds attack scenario, then extracting attacker information for filtering on boundary blocking module. Finally we test the function of embedded prevention unit and the new algorithm, the result shows that alert quantity is reduced by aggregation meanwhile attack scenario is correctly rebuilt according to the correlation rules, which helps to improve the accuracy of the boundary blocking module.