Study On Key Technologies Of Realizing An Intelligent Intrusion Prevention System

It makes progress to the Intrusion Prevention System (IPS) research inside and outside country,but there are several difficult problems:(l)The development and application of IPS system has constrained by the impact on network performance and high false negatives rate;(2)Traditional IPS based on pattern matching can not understand all levels of protocol and the operation commands of Application Layer.It is not possible for all of the network behavior and connection Events to record and reassembly completely;(3)Detection and defense rule base of IPS based on signature Detection depends on the characterization of attacks.It needs frequent updating endless which holds system in a status of passive defense.A huge rule base restricts the detection performance of the system.The research emphase of the thesis is focused on the construction of a comprehensive Intelligent IPS with a complete rule base.A program of high-speed and multi-thread packet capturing with the nCap structure is designed through optimization of wire-speed Packet Capture performance on Gigabit Ethernet,This program greatly improved packet capture performance in conditions with wire-speed Gigabit Ethernet.The packet loss rate will be reduced to a negligible extent and most of the system CPU cycles used for data analysis and rules update through the design of a program of efficient dynamic packet filtering based on the Shared-node Counting Bloom Filter at the basis of wire-speed Packet Capture.In the meanwhile,regarding the fragment attack and the security problems in IP fragments reassembly,an IP fragments reassembly algorithm based on improved RFC815 and splay tree is proposed.To ensure proper and efficient reassembly of the application layer data,a TCP reassembly algorithm based on splay tree is presented.If once an efficient IP fragments reassembly and dataflow reassembly mechanism are established,A dynamic application layer protocol identification program based on regular expressions and application-layer command parser based on plug-in technology are designed after the detailed analysis on two major functions of Protocol analysis:protocol decoding and command parsing.An intrusion prevention model based on DNA Sequences of network action description and application-layer command sequences constructed with the protocol analysis technology.At the basis of intrusion prevention model,a complete rule base is set up.throught the reasonable,effective,and the limited time and frequency's study and update of rules core,intrusion detection and prevention system with complete rule base is established.The invasion pattern's completeness and its establishment approach of protected network structure and the ergodic intelligent invasion pattern learning algorithm(Teiresias algorithm) are researched.Experiment and analysis in each chapter demonstrate the validity,efficiency,resource consumption rate of the above program and time complexity and space complexity of algorithms.