Based Load Balancing, Distributed Intrusion Detection Model Design And Analysis

Traditional network security techniques, such as encryption, virtual private network (VPN), firewall and authentication are static security techniques, can't meet the need of the modern dynamic network environment. Therefore, as a new and dynamic network security technique, network intrusion detection system (NIDS) has become into a hot topic of research and plays an important role in network security system. It carries on the recognition and the response to the computer and the network resources malicious use behavior: it not only examines comes from the Exterior invasion behavior and at the same time it also supervises not to be authorized the internal activity.However, the technique of NIDS is quite complicated and still very young, and many critical problems existed when applied into large-scale, high-speed, and distributed networks. If not solved, the future of NIDS can't be imaginable。 At present, Said to 1000M IDS, Grasps the package is a restriction factor and the data packet analysis also is other restriction factor.This article tries hard from following several aspects to enhance the efficiency ofIDS:1. In the Traditional way, When the net card receives the package, it will deposit the package in the system space; But the upper formation application can not gain access to the essence space directly, therefore must deliver through the system call toward the upper formation application system, and it can have a time of copy process. Now using "zero copy" to improve this process: When the net card will catch the data packet later directly to write about the sharing memory, such treating processes reduced at least duplication. At the same time reduced a net card driver to the user space duplication network data packet system call.2. Because the analyze engine's ability incompletely to be possibly consistent, Moreover different main engine needs the handling ability is different, the load balance according to merely connects the number can not to be able to achieve the best effect. In order to enable all analyses main engine to share the current capacity together, at the same time can realize network invasion examination load-balance. This article proposes based on the application dynamic minimum load first algorithm, According to data packet application type, the different data will issue the disposition corresponding analysis strategy the analysis mainengine to enhance IDS the analysis efficiency.3. "The protocol analysis" has been declared by majority IDS. But said to 1000M IDS, The protocol analysis was not merely to judge any agreement. Must enhance its performance and the accuracy, and must achieve a deeper level analysis. Therefore, in network analysis engine realization, this article proposed unifies the method using the protocol analysis and the pattern matching, effectively reduces the match scope, Enhanced the examination speed.4. Under high speed current capacity, the pure single scroll rule match can not match its request completely. Especially the present invasion examination regular pattern is increasing, and the number of times possibly is increasing, therefore its performance also is unable to satisfy completely. This article proposed the improved multi- pattern matching algorithm to improve the match efficiency.The article main innovation was proposed the load balance invasion examination system model, and has discussed its essential technical implement. This model has the well expandability, and can be improved in order to strengthen its own security, thus has promulgated the new generation of IDS development tendency and the characteristic.