| Intrusion Detection Technology is one of the core technologies ofdynamic securitytechnology, and plays a important role in terms of protectingnetworks security, detecting the signs of intrusion, and analyzing the technicalmeans of intrusion, etc. Besides access control, encryption authentication,firewall and virtual subnet, Intrusion Detection System (IDS) acts as anothereffective defensive security measures. IDS is able to monitor the networkwithout affecting the network performance, and provides real-time protectionto the internal attacks, external attacks, and improper operation. Therefore,IDScangreatlyenhancednetworksecurity.According to the intrusion detection model proposed byCIDF, this papergives a clear picture of the functions of each components of the patternproposed by CIDF and the interaction among the components. The finalpurpose of this paper is to establish a network IDS, which is characterized byhigh efficient, real-time, model matching technique and dynamic rules librarybasedonprotocolanalysis,themainworksareasfollows:The general design of network IDS lays out the structure of the wholesystem, which can be divided into six modules: Network Packet Capturemodule,intelligentdetectionmodulebasedonprotocolanalysis,modulebasedon dynamic rules set, rule analysis module, intrusion response module andmemory module. This paper will design and implement each modulerespectively.Data Packet Capture: Data Capture provides the elements for detectionanddecision-making, andits accuracy, reliabilityandefficiencycan impact onthe performance of the whole system directly. If too much data acquisitiondelay, the invaders would have intruded into the system even when detecting;if the data is incomplete, the detection system would be greatly weakened; ifthe data are not correct, detection system would fail to report some of theattacks, so the consequence are disastrous. This shows the importance of datacollection. A relatively mature function-library called libpcap is employed inthe study to capture data packets, which acts as an unified API offering datapacketsforapplicationlayerprocedures.Intelligent detection module based on protocol analysis: Applyingprotocol analysis technology to IDS, will greatly improve the accuracy andefficiencyofdetection:(1) A significant increase in performance: Taking full advantages of theknown structure of communication protocol, protocol analysis technology cancategorize the attack characteristics, and reduce the unnecessary matchingprocess. When protocol analysis tree is employed in dealing with data packet,the suspicious ones will be cleared away at each testing step for reducing theburden for the following process. Thus, compared with the traditional patternmatching, protocol analysis technology is much faster and more effectivewhenconnectinganddealingwiththedatapacket.(2) An increase in accuracy: Compared with the non-intelligent IDS forpattern matching, protocol analysis module provides suited specificinformation for pattern matching. For example, a considerable portion of theattacks exist only on the top of data packet, then, the contents of data packetno longer demand the further matching. Therefore, a large part of theunnecessary comparison can be reduced. Meanwhile, the error reports will beabletoavoid,whenattackcharacteristicsexistinthecontentsofthepacket.(3) Situation analysis: when a data packet is analyzed by protocolanalysisofIDS,itsrelationshipwithotherfactorsshouldbetakenintoaccount,ratherthananalyzeeachpacketinisolation.(4) Resistance to evasion: the protocol analysis of IDS can determine thetrue purpose and the meaning of a communication. Therefore, it is not easy tobeaffectedbyevasiontechnique(TCP/IPdebrisattacks)frominvaders.(5) Less consumption of resource: protocol analysis of IDS does notrequire too much calculation. Therefore, it consumes less resource frommainframe.Dynamic rule sets: Due to expansion of rule sets and development ofhigh-speed network, the probability of losing data packet in IDS has beenincreased greatly, which extremely influenced the performance of IDS.However, static rule sets can not process adjustment according to the systemenvironment and state. Therefore, this study proposes a method to range rulesets automatically. In this way, administrators just need to weight therecordeddata,basedonexistingrulesets.Thehighertheemergencefrequency,the greater the weighted value, and the more ahead the ranking positionrecorded in rule sets. In addition, cooperating with the scheduling function,this method makes IDS adjusting the order of rule sets initiatively at eachstage, under the long-term detection environment, so as to enhance the rapidandreal-timecharacteristicsofIDSdetectingtheattacks.Rule analysis module: the detection system of this paper uses thedescription of Snort for invasion for reference, Snort is an open-sourcedlightweight network IDS, which described the invasion of simple rules in afastandeasywayforimplementation.Intrusion Response System module: when IDS Module System securityissues is discovered, and the invasion takes place, this module responds toknown the staff the existence of such problems, and even to take strongmeasurestocountersuchproblems.Theseworksmentionedistobecompletedby the response module. IDS response system can be divided into two types:initiative response and passive response. The intrusion response system in thispaper provides passive response mechanism. It records the collection andanalysis dataintothesystem accordingto acertainorder, andat thesametimeshowthewarningmessagestothescreen.Memory modules: insertion rate is a main requirement of IDS storagemodule. Access database system is selected to build for the storage system.BecauseAccessisacabinetbutpowerfuldatabase,anditinsertsdataquickly.The matching detection technology based on protocol analysis proposedinthispaperaimsatsolvingtheproblemsofthelargequantitycalculation,lowaccuracy and high False Positive in traditional pattern matching detectiontechnology, and detects the attacks using the high technical rules of TCP/IPprotocol technology. Thus, this matching detection technology reduces thecomputation of matching detection. This paper designed the IDS with ruleslibrary of automatic sorting and dynamic analysis. Through testing andcertification to the modules, this system could shorten the time of patternmatchingandgreatlyimprovetheefficiencyoftheIDS.At last, the contents of the paper are summarized and future works areproposed. |
PDF Full Text Request