Research On Network Intrusion Detection System Framework And Realization Of A General Test Platform

The widespread application of Internet has made it an integral part of oureveryday life. However, due to its open and public purpose, information security isn'ttaken carefully for the data transported through it and it's hard to totally avoid suchissues as illegal intrusion, hacking activities and leakage of confidential information.Network intrusion detection system (NIDS) is a security technology whose aim is tofind out any attempts that will breach system confidentiality, integrity or usability. Itmonitors the overall status of the protected system and detects abnormal and misuseactivities in terms of predefined security policy. It can discover unauthorized networkaccess and wicked network behavior and report the intrusion attempts immediately,thus it provide an effective way for the administrator to guard against intrusionsituation.In this paper, a hierarchical multi-layered NIDS architecture was proposed anddiscussed. The architecture was implemented and tested on the basis of an opensource NIDS named Bro. The detection engine algorithm, core component of a NIDS,application layer detection and a NIDS performance assessment platform was alsopresented and researched.At the beginning, we delved into the commonly used NIDS architecture andpropose a new multi-layered one. Every module of the newly proposed architecturewas discussed, so was the interface between modules.Then dozens of string matching algorithms, which is the core part of detectionengine, were analyzed and compared in detail. A test program was realized to assessthe efficiency and advantage of each algorithm and the performance index producedby the evaluating program provide a trustworthy reference for the design of NIDS.After that, an open source NIDS Bro was introduced in the paper regarding itsinstallation, configuration and extensibility. We made improvements to Bro and wrotethe policy file for application layer detection.Finally, we developed a general NIDS assessment platform. It can record, replaythe network data packages and can imitate hundreds of types of faked attacksaccording to user's customization.