The Research And Implementation On Load Balancing Algorithm In High-speed Network For Intrusion Detection

With the rapid progressing of information technology and exponential increasment of the link speed, high-speed network intrusion detection system(HN-IDS) becomes a hot spot and hard rub of the intrusion detection reseaching field. The bottleneck of HN-IDS is the processing speed of the detection system. Usually, the traditional intrusion detecting method can only handle with the link under the speed of 1000Mbps. Parallel intrusion detection based on load balancing is a effective way to solve the problem, and the design of the load balancing algorithm is the key of the parallel intrusion detection.It is the firm base of the good design load balancing algorithm that the further analyzing network traffic characters of system application environments. In this paper, the HN-IDS under the real high-speed network environment is studied. The large flow and HASH properties are discussed. And in order to satisfy the split-flow request, which should split the flow equally, maintain the integrity of the attacking information, and reduce the packet-loss caused by the flow bursty, HASLF(Hash Adapting by Self-adaptive Large Flow) Algorithm is proposed. The algorithm only adjusts few large flow, with few damage on the flow. And it has the excelent few-packets-loss property, for its adjustment can adapt to the diversification of the flow by the method of self-adaptive adjusting large flow detecting threshold according to the buffer overload degree, with which the algorithm can absorb the bursting flow better. The flow distributation is quiet banlance for the application of the on-line dynamic adjustment of the HASLF algorithm.The self-adaptive property to detect large flow has three phases, namely, before the large flow generating phase, the slight adjustment phase after the large flow generating, and the intensive adjustment phase, which can be adapt to characters of the different phase's flow-split, and optimize the algorithm.The influence of parameters on the algorithm is analyzed, and the interaction of the properties is studied. There is also innovative study on the relationship between the buffer size and the load banlancing performance. The direct proportional relationships between the two properties is found, and there are obvious knees in their relationship curves. Before the knees, the buffer size increasing boosts the algorithm's performance obviously, contrarily, the effect of the buffer size increasing is weak.As a whole the buffer size increasing boosts the algorithm's performance effectively.Experiments with the simulating program by perl is done. The results show that the performance of HASLF is obviously better than static hash Algorithm and dynamic SHI Algorithm. HASLF improves result of spliting the flow equally by about 100 times than the static hash. Comparing with SHI algorithm presented by Weiguang Shi, The performance of HASLF is better than SHI algorithm at all aspects, especially at the aspect of packet-loss. And it has the excelent zero-packet-loss property while its parameters are set to typical values.the influence of the detecting nodes increasing on the algorithm's peformance is also studied. At last, the load balancer based on HASLF by using FPGA and TCAM is realized. It can split the 40Gbps main link flow into four 10Gbps flows.