Research And Implementation Of Detection Engine In Intrusion Detection System

With the high-speed development of the network, Intrusion Detection System (IDS) has become an important way to defense network. The capability of detecting engine affects the performance of IDS in a direct way. Intrusion-detection engine contains two important technologies which are respectively protocol analysis and signature analysis. Traditional IDS is realized by software. However, as the network expands rapidly, the speed of string match of signature analysis has become the bottleneck of further development. A hardware realization of IDS is in necessity and has been a focus of current research. In order to solve the questions listed above, this thesis researches on protocol analyzing technology and signature analyzing technology of detection engine and realizes it in hardware in the end.In the aspect of signature analysis, the thesis presents a method of TCAM protocol analysis. This method can achieve line speed by fast and accurate protocol analyzing to the packet. It supports key research of 72/144/288 bit by different Instruction. Compared with traditional software methods, the detection speed has been improved greatly and at the same time, supports new dynamic protocol.In the aspect of signature analysis, the thesis also proposes an Implementation of String Matching Based on FPGA. By extending the width of data-bus, and sharing the common sub-logic and Look-up Table (LUT) using pipeline in the design, we successfully solve the high-speed string match problem by a general FPGA. In comparison with traditional string match algorithms, our algorithm can effectively shrink the chip-area of the string match filter, and it has been proven to be a highly effective parallel multi-string match algorithm.In the realization part of this thesis, this thesis introduces a reference design of IDS System. It includes packet capturing module, protocol parsing module, signature analyzing module and protocol analyzing module. Finally there is verification of this system in the end of this thesis.By experiment, the hardware realization of Intrusion detection engine is proved to be suitable for the real network.