Based On The Characteristics Of High-performance Network Intrusion Detection System

This thesis firstly introduces the concept and composition of an Intrusion Detection System(IDS). After the introduction, the architectures and key technologies of current IDSs are analyzed in depth. Based on this analysis, the design of a Signature-based High Performance Network Intrusion Detection System(SHPNIDS) is presented. This system utilizes a load balancer when capturing the network traffic, which is adaptable to high speed networks. The network traffic is filtered quickly and delivered to sub-systems to detect intrusions. A level transition mechanism is introduced, which makes the system capable of predicting intrusions.The signature-based sub-IDS has been implemented, which detects intrusions or suspicious network behaviors by detecting signatures in the network traffic. To make the intrusion rules more comprehensible and more extensible, a pseudo natural language is used to describe the rules, and the intrusion signatures are classified into protocol-based and intrusion pattern based signatures. Due to different characteristics of these two groups of signatures, this system detects with different methods. For protocol-based signature detection, packets are analyzed according to different protocols. The values of fields in the packet headers are checked, and pre-processing of packets is made when necessary. For intrusion pattern based signature detection, an improved quick multi-pattern matching algorithm is adopted, which can search for multiple patterns by scanning the packet once. To facilitate rules detection, the rules are loaded dynamically into a two-dimensional rules list, and patterns in multiple rules with common attributes are organized as an intrusion pattern tree which can satisfy the demand for multiple-pattern matching. In addition, to make the sub-IDS run in different modes, a data-capturing module is introduced to realize packet sniffing and filtering.This signature-based sub-IDS can be run as a sub-system of the Distributed Active Collaboration Intrusion Detection System(DACIDS), which can supply information for detecting distributed intrusions, or can be run as an independent IDS to protect a network.