Research On Key Technologies Of Intrusion Prevention System

With the development of networks, network attacks become more complexity, Intrusion Detection System (IDS), firewall, antivirus software,such security have already become indispensable in information security and protection.Although these security technologies and the protection of information security products play a very important role, these security technologies and products have altitude pointed, only can play a role in one aspect of network security. Intrusion Detection System detect invasion, block the function of connecting, but it focus more on the invasion of detection. Firewall inspect network current capacity and intercept data packets which are not tally security policy.But the firewall's access control rule is static ,it cannot dynamic respond to the invasion of change.This paper analyses the key technologies and the architecture of firewall and the advantages and disadvantages of various firewall technologies. In depth analysis intrusion detection technologies which based on anormal intrusion detection and the misuse intrusion detection.After studied and analyzed the foundation of firewall and intrusion detection technology, the intrusion prevention system was unified by both functions.In this paper the realization of intrusion prevention system is based on the foundation of Linux firewall Netfilter / Iptables and Intrusion Detection System (Snort) which improved to achieve common intrusion prevention capabilities.In this paper, the Snort data packet acquisition mode, the data packet resolving and the data packet feedback way has made the revision. Netfilter Libipq library function is used to carry on the data packet capture, Netfilter carries on the data packet filtration, Snort carries on the analysis from the IP level, and add an IPV6 processing module,expanding the system's capacity of packet analysis.After Snort detects the invasion behavior, it communicates with Netfilter.This paper analyzed the commonly used pattern matching algorithm, and carried on the test to the algorithm, tested the model train length, the number of pattern matching algorithm for pattern matching performance of, and evaluated the space consumption pattern matching algorithm. According to the test results, a multi-pattern matching algorithm AC_BM algorithm was selected as a pattern matching algorithm. Pattern matching technology has the shortcomings for large computation and easy to fail to report the intrusion. The combination of the protocol analysis technology and pattern matching techniques was used to detect intrusions.This system use the state detection technology to fitler data packets that extends the Netfilter/Iptables filtering features of the Linux firewall,which makes the firewall could not only determine the control by address.port of the packets ,but also can determine the type length and the matching of the packets'content ,so that improving the efficiency.