| IDS can be divided into two different types according to its origin of data. One is based on host and another is based on network. The NIDS can detect and analyze the net behavior in real time and react to the result of the behavior. In this paper an network intrusion detection system based on protocol analysis on the platform of Linux is discussed. The main research works are as follows:At first, the concept, origin, definition and sort of the network intrusion detecting system are introduced. The work principle of a common network intrusion detection system is mentioned. Seven modules: network packet capture module, network protocol analysis module, rules analysis module, intrusion detection module, response module, storage module and interface management module are discussed in details.Several modules of the intrusion detection system: network packet capture module, network protocol analysis module, storage module and interface management module are studied and realized. The BPF theory and Libpcap are discussed in network packet capture module, the network data capture function is realized in this module. The IP, TCP, UDP and ICMP analysis are discussed in detail in the protocol analysis module. The result obtained in the protocol analysis is foundations of intrusion detection module, the intrusion analysis method including pattern match and protocol analysis technology used in the NIDS is discussed in intrusion detection module. In storage module the network data is stored in MySQL database. In interface management module, the manage platform is implemented by Gtk+ technology, a friendly operate user interface in the simple graph is provided.Finally, in order to detect worm, anomalous payload-based worm detection and signature generation technique is discussed. The worm's initial propagation by ingress/egress anomalous payload correlation can be detected, the model also enables automatic signature generation very early in the worm's propagation stage. |
PDF Full Text Request