The Research Of The Network Intrusion Detection System Based On Pattern Matching

In recent years, with the development of computer technology and the expansion of network, the system is subjected to more and more the invasion and many other attacks, security of network and information has become more and more highlight, it already has become an international problem. Each year the global computer network security problems cause enormous losses. Therefore, to the detection and prevention of intrusion, protection of computer system, network system and security of entire informational infrastructure have become an urgent and important issue.Network security is a systematic concept. An effective security policy is principal assignment of network information security. The design and config of intrusion detection technology is for guaranteeing the security of computer system, it can discover and report an unauthorized or abnormal situation timely of the system. It is a technology can detect the actions that violate security strategy in the system and computer network. The application of intrusion detection system can detect intrusion attack before the system subject to damages and use alarm and protection in response to attack, thereby reduce the losses caused by attacks.Intrusion detection achieves its function by implementing the following assignments: monitor and analyze the activities of user and system; audit the structure and weaknesses of system; recognize the model of attack activaties and rep alarm the administrators;the statistics and analysis of the abnormal behavior model; evaluate the integrity of critical system and data files;the track management of the operating system.The advent of intrusion detection technology helps system to deal with network attacks and to expand the system administrators'security management capabilities (including safety audit, monitor, attack recognition and response),it improve the integrity of informational security infrastructure.According to different sides and different classification criteria, intrusion detection system can be divided into different categories. 1. According to the data source, the intrusion detection can often be divided into two categories: Host-based intrusion detection system and network-based intrusion detection system. (1) Host-based intrusion detection system usually obtains the main data source from the audit records and log file of the host. It supplemented by additional information on the host, for example the attribute of file system, manage status of process. (2) Network-based intrusion detection system mainly inspect the data traffic in the network territory, it can access to the output data of host and application procedure of in the monitored network environment, meanwhile also can check the network packets of information directly. 2. According to different data analysis method, intrusion detection system can be divided into two categories: misuse intrusion detection system and anomaly intrusion detection system. (1) Anomaly intrusion detection realize the detection of attack behavior by observe the difference between present activaties and the past history activaties in the system.Anomaly intrusion detection usually establishes a normal activity model and constantly updated and then compare the current activities of ueser with this normal model, estimate whether it deviate from the normal behavior model to detect the attack behavior. (2) Misuse intrusion detection technology is based on analysis of various types of attack measure. And it can indentify possible―attack character‖collection. Misuse detection system analyze the behavior of the system,to dectect attack behavior by finding the attack that match with the time and event of the defined attack character.This article is based on network-based intrusion detection system and misuse of the detection technology for the theory and according to the intrusion detection model by CIDF, designing a high-performance, real-time and network-based intrusion detection system. In the process of design system, it can be divided into five parts to implement: network packet capture module, network protocol analysis module, the rules analytic module, intrusion detection module as well as intrusion response module. This article gives a specific analysis and design to the functions of each module, as well as the realization.1. Network Packet Capture ModuleData packet capture mechanism is the basic components of the implementation of network intrusion detection system. It mainly captures data packets from network interface directly and provides cases to other modules. It constitutes the source for the information of entire system in order that other modules can detect. The article adopts the functionbase of Libpcap database and Berkeley Packet Filter mechanism. 2. Network Protocol Analysis ModuleEvery data packet transmitted by network strictly complies with the rules of protocol. Therefore data packets catch from the network on the basis of network protocols be layered to from the bottom up layer by layer for analysis in order to obtain complete information. It has done the basis for the following detection work, and improves the system performance.3. The Rules Analysis moduleIn this intrusion detection system, we draw lesson from work process and intrusion method of the Snort. Snort is an open-source lightweight level network intrusion detection system. The invasion rules of it are simple, rapid, easy implement and strong expression. Every rule represents a way of attack.4. Intrusion Detection ModuleThis is the core of the system. After the network protocol analysis, we match the network data packets and rules of the intrusion characteristics database and analysis of whether the invasion has occurred. This article is on the basis of classical BM algorithm, adopt one improved BM algorithm to make it match, additional make it more pratical in application.5. Intrusion Response ModuleWhen the intrusion detection module finds the intursion behavior or suspect circumstance, it needs to take appropriate measures and inform administrator in time.These assignments are completed by the intrusion response module. The response of the intrusion detection system is divided into active response and passive response. This system is mainly providing a passive response mechanism. The system will give a warning according to different levels of hazard when it detects intrusion. For example, it will mail to the administrator, have a voice alarm and so on.This article is attest the superiority of system performance by experimental data, besides come to a conclusion the flaw and point out the direction for the further work.