| Intrusion detection system can detect attacks from both external and internal of the protected network and respond quickly while detect intrusions. However, with the development of network technology and the rapid growth of network bandwidth, intrusion detection system can not match the high-speed network, which results in packet_loss. Thus, many attacks embedded in packets can not be detected because of packet_loss. How to enhancing the performance of intrusion detection system is important.Due to a single engine always lost packets caused by low performance, an intrusion detection system architecture based on cluster is proposed, this architecture include nine parts: network packets capture module, protocol partition module, load partition module, detection module, rule database, rule parse module, respond module , control module and log module. This dissertation also. introduces system data flow gragh and the system process procedure.A load balancing algorithm combines with the load balancing, data integrity and characteristics included in network packets is presented. The network trffic is split to a number of detection engines of cluster. Thus, it can reduce single enginge's load, enhance the whole performance of system.Due to the preprocessing time of AC_BM algorithm is long and the moving step need improvement, an improved multi-pattern matching algorithm based on finite state automata(FSA) is proposed. This algorithm could match several patterns a time. It give up good_suffix strategy, choose two characters which is the current mismatch character and the character before the first character of this round as the inspiring character.The results show that: the detect engine could detect most of attacks embedded in the packets; the architecture could adapt higher network speed; the improved algorithm—TLFSA uses shorter time, has higher performance, is suitable for high-speed network intrusion detection system. |
PDF Full Text Request