Research And Implementation Of Intrusion Detection Techniques Based On Double Zero Copy Model For High-speed Network

Intrusion Detection System (IDS), as an active security protection instrument, supplies a safeguard for the network by detecting and preventing intrusions in advance and giving the alarm, etc. However, with the high-speed network technology becoming more and more popular, there are more challenges for IDS. At present, IDS has a general problem that is the comparatively high rate of packet miss, false negatives and false positives. This problem can be solved by improving the performance of data capture, data storage and the data detection.For solving the packet miss problem of IDS in the environment of high-speed network, at the part of data capture and storage, the thesis brings forward a Double Zero Copy Model (DZCM) that is the union of zero copy data capture technique and zero copy data storage technique. First, as to the date capture, based on analyzing the conventional data capture technique, the thesis brings forward an improved technique which can enhance the performance of data capture and decrease the rate of packet miss. Second, considering the importance of the data storage speed for IDS, as to the data storage, the thesis applies the zero copy technique to data storage which can enhance the data storage speed and decrease the rate of packet miss indirectly. And then, for decreasing the rate of false negatives and false positives, with the pattern matching algorithms which are in common use in IDS, the thesis brings forward a new algorithm-SFBM. By the experiment, it is observed that SFBM algorithm can advance the speed of pattern matching and has the higher detection efficiency. At the same time, by researching on protocol analysis technology, the thesis brings forward the protocol analysis algorithm and combines the SFBM algorithm with protocol analysis, which can solve the problem of false negatives and false positives.Beginning with developing status of IDS, the main research work and structure are proposed. Then the general model of IDS is given. After that, several key techniques in the model, including data capture, storage, detection, etc, are analyzed and the corresponding improved techniques are brought forward. Finally, the results of testing prove that the new techniques are very important in improving the performance of IDS.