Based On Misuse Detection Module Of The Multi-core Platform

Intrusion detection in high-speed network, different from in low-speed network, needs improve the detecting efficiency of the packet matching through software design, while facing the limitation of the computer's CPU, memory, bus width, and resource. Network-based intrusion prevention system must run on specific hardware platforms to achieve high capacity of deep packet inspecting and blocking function. Currently on the market, multi-core network processor is specifically designed for network applications, which has a simple and efficient program development characteristics, and processing power to handle high-bandwidth wire-speed, Highly integrated and open architecture which allows network equipment based on network processor easily expand the system.This thesis designs and implements the abuse detection module based on multi-core platforms. Its main task is firstly to have the related research for the process of intrusion detection, misuse detection techniques and multi-core technology. Then it designs the misuse detection module based on the data-processsing-oriented detection model. Through the research for Snort rule tree structure, for lack of Snort rule matching the thesis proposes the optimization on function set based on option values and the optimization based on failure of matching keywords to improve the efficiency of Snort rule matching. For the HTTP protocol and FTP protocol the thesis designs flow filter algorithm, which can filter secure data flow to reduce the number of packets forwarded into the detection engine, in order to improve the efficiency of detection engine to detect attacks. Finally, to customize the Snort source code in accordance with the design of misuse detection module and in combination with the SE library provided by the multi-core platform implements the misuse detection module based on multi-core platform.This thesis improves the performance of the abuse detection module in several ways, as follows.Optimizing the Snort rules' tree structure to reduce the number of occurrences of invalid matches and the number of calls matching functions, thereby increasing the efficiency of detecting attacks.Designing a flow filter to separate and filter the secure packets from the coming packets and forward the other suspicious packets into inspection engine to conduct a comprehensive inspection.Utilizing hardware abstraction layer's services supplied by OCTEON hardware platform to achieve the efficient misuse detection module running directly on the hardware abstraction layer.