Research On Dataflow Reassembly In IDS

Along with the development of e-business, the network security is paid attention to unprecedentedly. Intrusion Detection System(IDS) analyse the packets through the network, find potential attacks and inform administrators or take the protective measure by itself according to the tactics which are made in advance.Traditional IDS scan the content of solo packet. However, invaders often separate the sensitive information into a number of small IP packets then sent them. IDS cannot make correct judgment for such attacks due to the dataflow transmitted by these IP packets lose the information feature. IDS based on dataflow reassembly discard the method that only scan solo packet, but adopt the method that scan the data after dataflow reassembly.IP fragments reassembly and the security problems in IP fragments reassembly are researched in this thesis. A IP fragments reassembly algorithm based on improved RFC815 and splay tree is proposed. It can satisfy the efficiency and the security that IP fragments reassembly need.TCP reassembly is the key of dataflow reassembly. Detailed analysis of TCP protocol and TCP connection states management is gived in this thesis. Some security problems in TCP reassembly are discussed as well. To ensure proper and efficient reassembly of the application layer data, a TCP reassembly algorithm based on splay tree is presented.This thesis also shows an in-depth analysis on the principle and method of network packet capture. BPF is the filter module based on the kernel. The software development kit libpcap which is based on BPF can capture network packets efficiently. A dataflow reassembly prototype system is implemented by using libpcap. This system can track TCP connection states and completely renew the application layer data.