Design And Implementation Of Deep Packet Filtering Based Network Intrusion Detection System

Due to computer and network communication technology developing rapidly, especially Internet be used widely, network information system security issues have become more and more prominent. In order to ensure the security between network and data communication, to prevent the unknown invasion, many security products such as Firewalls and Intrusion Detection Systems are deployed. Firewall can filter threat data, shield internal information, network structure and operating conditions, protect hosts in a corporate network from attacks.Firewalls' shortcomings are easy to be broken through, and they can't deal with the internal network attacking. NIDS can amend the lack of the firewall, using the misuse detection model to detect known plaintext attack; using the anomaly detection model to detect both known and unknown invasion activities, however the establishment of the normal behavior according to the process of anomaly detection model is difficult. At the same time, due to the data traffic rapid increasing on current network, Firewall and IDS real-time performance are being challenged.My paper research on intrusion detection systems. We design and realization a deep-packet filter misuse intrusion detection systems, mainly focus on detection technology, access control and protocol analysis, in order to improve the performance in detection efficiency, reduce miss alarm rate. The main contributions of my work include:(1) Improving the detection efficiency of string matching algorithms in the misuse detection model. We use a kind of packet filtering hierarchical search pattern-matching algorithms(EHMA) to enhance the system detection performance. EHMA is based on HMA algorithm which (line-by-character match have low efficiency problem) combines E~2XB sub-blocks strategy and jumping mechanism of MP2-BM algorithms to reduce the number of visiting external memory, improves the speed of filtering text characters on online matching stage, increases the efficiency of matching.(2) In order to reduce the pressure of detection module and false detection rate, we add the protocol analysis module in pre-processor module, to detect the status of session and prevent DDOS attacks. By improving the regular expression matching algorithm, we can identify data packets and detect attacks quickly, filter the rules and exceptions that do not follow RFC document, improve IDS detection capability.(3) In order to release the pressure of detection module and reduce the miss detection rate, we increase dynamic access control rules module before detection module. Based on the Netfilter architecture+IPset solution, it analyses real-time alarm logs, generats control strategy, and updates the filter rule to IPset dynamicly, then the firewall can block front-end attacks on time, and reduce the data stream for detection module.(4) We design a NIDS based on Deep packet filtering technology, combined with integrating protocol analysis module, access control rules module and data detection module. The experiment results shows it has better scalability and flexibility than the original model, having a better detection performance.