| As a new active security-defensive mechanism, Intrusion Detection System can provide the host and network dynamic protection.It not only detects the intrusion from the extranet hacker but also monitors intranet users. Now next generation IDS are mostly using a strategy of combining protocol analysis which makes use of the specifications of protocol and outstanding pattern matching algorithm, to solve the contradiction between the accuracy and the timeliness.On the basis of detailed expatiation of BM-algorithm, a improved pattern matching algorithm which is more suitable for the condition of having more repeated suffix in the rules, was proposed in this paper. Then deeply probes into the packet capture module, packet filter module and protocol analysis module of a IDS,according to network IDS framework based on protocol analysis, described the protocol analysis pretreatment process design with emphasis, which including the IP reorganization, the TCP flow reorganzition and the HTTP decoding In the first two modules, it implements a porgramme on the basis of the Winpcap library and its BPF mechanism to capture and filter data on the network interface card. And in the third module, it implements a routine to analyze the important protocols in the TCP/IP protocol stack, such as IP, TCP, UDP and HTTP, which could make the precision and speed of intrusion detection improved.The test result shows that the improved pattern matching algorithm is more efficient under the condition of having more repeated suffix. While the protocol analysis module, the network packet capture module and the packet filter module implemented in this paper can decode the TCP/IP datagram perfectly. The whole intrusion detection system has good ability of detecting some typical attack. |
PDF Full Text Request