Research On Stateful Protocol Analysis Technology In Intrusion Detection System Based On IPv6

With the development of computer network, Internet has gradually become a part of people's daily work and life. While the network brings unprecedented opportunity to the information of human society, people are also facing increasingly serious network safety problem. Owing to IPv4 protocol is encountering more and more difficulties in solving problems, such as address exhausting, router table expanding and so on. As the next generation network protocol, IPv6 must coexist with IPv4 for a long time, and it will completely replace IPv4 in the end. Although IPv6 has solved the problem of data encryption and identity authentication by IP Security Protocol which data could transport safely in insecure network, IP Security Protocol has not effectively prevent attack about protocol itself. So intrusion detection system is still very important. It is necessary and timely to research intrusion detection system in the environment of IPv6 networks.According to the differences between IPv4 and IPv6 protocols, the new technique characteristics of IPv6 intrusion detection is researched based on the analyzing of IPv6 packet header structure, address, extension header and safety mechanism. The two techniques of mode matching and protocol analysis are analyzed in detail. Protocol analysis produced based on pattern matching is a kind of novel security technique and used to analyze single packet. Nevertheless, most of attacks will implement during several requests and couldn't be discovered only by detecting single request or response. It is necessary for stateful protocol analysis technique at the moment.Then, the module and algorithm of Stateful Protocol Analysis (STAPA) is researched in detail. This technique joins stateful characteristic analysis in common protocol analysis. Not only single request or response will be detected, but also all traffic of a session will be considered as a whole. So, the thesis attempts to use the model on IPV6 platform. In order to complete the task, Snort is researched for a good many virtues such as a lightweight IDS about network, easy to install and configure, powerful function, flexible in use and so on. Therefore, based on the research of the Snort system, not only add the function of IPv6 packet for protocol decode plug-in and rules handle plug-in, but also add the function of stateful protocol analysis based on IPv6 for rebuild frag preprocessor.At last, through experiment testing, the improved Snort achieves several functions such as IPv6 packet detection, scanner detection, rebuild-frag detection, SYN Flood attack detection.In a word, according to analyze the Snort structure, a new project of correspond to Snort is introduced. At last, it is proved that Snort can availably detect the attack of IPv6 through experiment testing and implement the function spread of Snort.