Research On Network Intrusion Detection System Based On Snort

Intrusion Detection is a study about detecting and responding computer's misuse, its functions is to detect, respond, evaluate the loss, forecast attacks, and have legal support, etc. Intrusion detection technology is a new generation security guard after traditional security protection measures such as firewall, data encryption and so on. Intrusion Detection System (IDS) is a software system, which uses intrusion detection technology to identify and respond the malice actions on computer and network resource. It can detect the attacks not only from outside but also the inner ones.Intrusion techniques can be divided into anomaly detection and misuse detection. Currently, the domestic and international research toward intrusion detection are inclined to anomaly detection system,while to the traditional misused etection system,research concentrates on the aspects of system architecture and detection performance of the super -speed network. Based on these researches, many commercial intrusion detection systems have appeared.The most commonly way used for network intrusion detection is to manually proceeds the router and analyze the firewall's log or use the software developed MartinRoesch.With the speedy expansion of network scale and complexity, the actions of hackers are more rampant, and the intrusive tricks are more secluded, so the resulting losses are more devastating. This poses a large challenge to the existing IDS. The successive appearance of large-scale, fast-speeding switching network makes the former IDS be a far cry for users' need in more speedy packets capturing and more effective detective measures, as a result it need be redesigned both in software structure and algorithms; Also, in large-scale network, different parts may use different IDS, the current IDS in use and other security products in inner network can not exchange and share data, all of this causes the inconvenience to users.This paper puts forward a Network Intrusion Detection System based on Snort(sniffer and more) . Snort is one powerful lightweight network IDS. It has theability of realtime data analying and recording IP network data packets,and it can be able to process protocol analyzing, definite content searching or matching.Snort also can detect many different attack ways,and then give a realtime alarm.Furthermore, Snort has good expansibility and transability.In this paper, I firstly describe the Snort's architecture, working flow and three-dimensional linked list, and then especially analyze the Detection Engine of the Snort and the Detection Engine's pattern matching algorithms. A data preprocessing model which based on GM(1,1),and a index reducing algorithm which based on grey relation are built. Because of the shortcomings of the original patern matching algorithms the Snort used, I choose a new improved algorithm to improve the Snort's Detection Engine, and then apply it into the Snort's Detection Engine. Through several experiments' results, I prove that the new improved algorithm is eficient; moreover the speed of the improved Detection Engine is faster than original system's. It shows that this algorithm can reduce obviously rate of false drop and false retrievable, reduce needed system resources, enhance timeliness and accuracy.The advantage and disadvantage of the newly implemented system as well as a suggestion of further improvement are given at last.