Research And Implementation On Packet Sampling Algorithm For Intrusion Detection

With the increasingly serious problem in network security,Intrusion Detection System(IDS) has already become an important component of Computer and Network security.However,with the continuous increase in network bandwidth, the existing IDS, by the processing speed restrictions, can not cope with the existing high speed link. So, it is need a method to increase the processing capacity of IDS.Upgrading the processing speed of hardware is commonly used method.However,the upgrading of hardware processing speed can not keep pace with the rate of network bandwidth's increase. IDS's processing speed faces the bottleneck.Packet sampling which widely used in network monitoring is a good method to improve data packet processing capacity. But, the traditional packet sampling algorithm is designed for network monitoring and does not consider that it maybe used in intrusion detection.In recent years, researchers gradually begin to research packet sampling algorithm in intrusion detection.They analyse several traditional packet sampling algorithms used in network monitoring, compare the effects of packet sampling algorithms when they directly used in the intrusion detection,and point that these algorithms do not suit for intrusion detection of high speed link.But,they They do not propose new and effective algorithm. According to it,paper will research new packet sampling algorithm for intrusion detection.The main achievements of this work consist of following aspects:1. Analysing several method of typical network attacks. According to analyse the classic data sets's intrusion detection logs, a feature of the intrusion has been found: intrusion attacks have continuity in the time. Based on this characteristic, design a new packet sampling algorithm.2. Designing experimental platform based on Snort. Upgrading Snort's capture data packets rate from 100M to Gigabit.So,it can be used in the real high-speed link.3. Building the real high-speed link environment, and doing experimentin for the new algorithm in this environment. The experiment results show that the new packet sampling algorithm can be greatly enhanced process rate in high speed link,while has higher success rate than the traditional packet sampling algorithm.