Research And Implementation Of Network Security Monitoring And Audit System

With the development of information technology, popularization of global internet application, the importance of information system security, especially network security, becomes more and more prominent in the situation that network intrusion happens more and more frequently. It's necessary to pay more attention on network security. The technology of Monitor, audit and forensic is an important way of guarding the security and stability of information system.Surrounding the design and implementation of Network Security Monitoring and Audit System(NSMAS), the following contents are studied in this thesis.1. The study of data packets collection and reassembling technologyThe Berkley Packets Filter, Libpcap library and ZeroCopy mechanism are discussed, analyzing the characteristic of two data packets collection methods, a method to resolve the problem of Packets loss is given.2. Layer organization technology of conversation and reappearing of packet contentsWith the separation of logic operation and data operation, adapting to high-speed network, the organization structure of conversation data is designed. The process of packets reassembling is described, and some resolvent are presented for TCP packets reassembling process and dynamic conversation reappearing on interface. The methods to reduce efficiency loss during tree's operation and to adapt to dynamic changes of data is put forward, then the implementation of four conversation reappearing at application layer protocol is presented.3. Filter analysis and access controlBased on the analysis of filter rules, Using optimizing matching algorithm, the universal analyzing filter frame and dynamic access control mechanism is put forward, which can improve system extensibility and efficiency of access control.4. the design and implementation of NSMASThe prototype of NSMAS is designed and implemented, and the function and performance tests are also undergone. The results show that the system can work intuitively, stably and efficiently in target network.Using the technology mentioned above, a Network Security Monitoring and Audit system is completed and used in an important net. The system can accomplish the real-time monitoring of special content access, have the ability of recording, alert, specified events blocking. It also can be applied to forensics and recovery.