Research Of Intrusion Detection Technology Based On Protocol Analysis

The Intrusion Detection Technology based on protocol analysis is an advanced Intrusion Detection Technology, which finds the existence of unsafe factors in the net quickly using the high regularity of net protocol. Compared with the traditional matching pattern technology, the protocol analysis-based Intrusion Detection Technology has the advantages such as: high speed of detection, low system cost, low error rate, detection of chip attack and so on.The thesis discusses the technique of intrusion detection based on the protocol analysis.Firstly, the pattern matching technology usually used by IDS is analyzed. The thesis introduces the most advanced intrusion detection technology-protocol analysis technology by pointing out the defects of the matching pattern technology.Secondly, the thesis focuses on research the Simple Protocol Analysis (SPA) detection method and Stateful Protocol Analysis (STAPA) detection method. The Simple Protocol Analysis method detects headers and payload of individual packet by using detective rules. In the Stateful Protocol Analysis method, it builds a state protocol analysis model, maps packets to the sequences of states and uses monadic predicate to detect anomalies and attacks correlated with protocol states. The Simple Protocol Analysis method and Stateful Protocol Analysis method can effectively analyze protocols at various layers of net work including application layer protocols and can accurately locate the field of detection, which enhances the completeness, accuracy and efficiency of detection. Then, this thesis presents a novel IDS architecture based on protocol analysis. This architecture combines anomaly detection technology with misuse detection technology.Based on this research, the thesis focuses on research TCP protocol anomaly detection method based on state transition. After understanding the TCP protocol state transition map, I design a TCP protocol state analysis module through deep studying and analysis transforming relation of TCP protocol state. The module using STAPA detection method can detect TCP protocol anomalies and TCP SYN Flooding attacks.Finally, I select the snort plug-in mechanism to realize the thesis design TCP protocol state detection module. The result of the experiment using this TCP detection plug-in validates the detection of feasibility. This plug-in can detect greatly parts of TCP anomalies.