| With the popularization and fast development of network, network users is facing increasingly serious security issues, thus network intrusion has become the most important threat to the computer security and network security. So network intrusion detection system (NIDS) appears as the keystone and hotspot in the computer security research field which emerges by the requirement of times. Intrusion detection system is a new type of safety protection technology after traditional security protection method such as firewall, data encryption and so on. It identifies vicious behaviors of using host and network resources. It not only detects the intrusion from the extranet intruder but also intranet users. Intrusion detection is an active protection technology of network safety.At present, network intrusion detection systems have met many challenges. It is very obvious that Network attacks tend to the application layer. The traditional network intrusion detection method based on the transport layer of the following characteristics of the packet to detecting intrusion, so there are some difficult to overcome the shortcomings, example, Poor efficiency of detection,False Alarm,Vulnerable Fraud and so on, which it is difficult to adapt to the current network environment. Current, Based on the protocol analysis of network intrusion detection system, Identification of application layer protocol, is researching. Commonly, it identifies application layer protocol which base on port, but the method is fallibility. Some registration ports are used by a number of applications, or protocol is not dependent on certain port but random choice, so to base on port to identify application layer protocol algorithms that accuracy are almost 50% lower than , That is, the error rate is higher than accuracy. And the application layer are always adding new protocol, these protocols usual are not registered in the IANA, and to make based on port ,to identify application layer protocol, is not feasible.The thesis research several of algorithm about the protocol identification, to improve based on port identification of the methods, to combine with the characteristics string to identify the application layer protocol and to form an application layer to identify new pattern, little to change time complexity, greatly to enhance application layer protocol identification accuracy. In addition, users can increase or reduce the application layer protocol. At the same time, a combination of the existing of IDS of based on protocol the analysis, to improve the existing framework of IDS, in the invasion of the rules before the first match of the packet is an protocol to identify, and the intrusion detection rules and protocol library List established by the protocol to identify the result of the intrusion detection and improve the rule base to match, a reduction of the number of matches , rate of recognition intrusion detection increased, rate of the false alarm can be reduced accuracy.Finally, the paper is currently the most widely used snort of open-source network IDS as a test platform, New IDS compare with snort , the results show that The new IDS model has a higher speed, better accuracy and better availability. |
PDF Full Text Request