Study And Design Of Network Intrusion Detection System Based On Pattern Matching And Protocol Analysis

Intrusion Detection is extremely beneficial to the supplement of the firewalls. Intrusion Detection System (IDS) can examine the attack before it causes any destruction, and also use the alert and protection system to get rid of the intrusion. In this process, the loss caused by intrusion can be reduced. After the intrusion, related information can be collected for later use as the protection system knowledge. This knowledge can be kept in knowledge library so that this kind of intrusion will no more happen. However, the increasing expansion of the network scale and the increasing renewal of the intrusion method require Intrusion Detection System with higher quality.Based on the research of IDS developing status and direction at home and abroad, the author puts forward the idea that pattern matching combines with the technology of protocol analysis. Then after deeply having a study on common pattern matching methods of IDS, the author brings forward an improved pattern matching aLgorithm-NMSA, introduces the method of latest protocol analysis to the network intrusion detection system so that misuse detection can be integrated with anomaly detection, and detailedly sets forth the model and design process of network intrusion detection system based on pattern matching and protocol analysis. Finally, the system is proved to have usability and high efficacity and efficiency of detection with experiment. This paper consists of six chapters. The first chapter is literature summarization and the introduction of the issue. In chapter two the author sets up the whole frame of network intrusion detection system based on pattern matching and protocol analysis, which includes six modules: the capture of network packets, rule's parsing, data analysis, the response of intrusion, the store of warning data and the analysis and controlling center, and designs each module. In chapter three the author establishes the language which is used to describe the intrusion signature, elaborates the signature selection, the rule format, the rule option and rule parsing and so on, and for the insufficiency in the snort rule parsing process, the author increases the width search to enhance the matching efficiency. In chapter four the author emphasizes the fast and multi-pattern algorithm- NMSA and applies it in the system, In chapter five the principle of protocol analysis is discussed and the process of the TCP/IP protocol analysis is realized in the design of the IDS. And the technology of state protocol analysis is applied to the intrusion actions with constant mode change. The author constructs an analysis engine module with the combination of the technology of pattern matching and protocol analysis. In chapter six the experiments prove that the system has high detection efficacity, detection efficiency and usability.