High-speed Network Intrusion Detection System

The Intrusion Detection is a new network security technology , followed thetraditional safe protective measures, such as firewall and data encryption etcTogether with the firewall, anti-virus system , vulnerability scanner and othertechnologies, Intru--sion Detection forms one of the cornerstone of modern computersecurity. In spite of the fast evolution of the Intrusion Detection System(IDS)technology, many new problems arise in a high-speed network. How to make surethat the IDS has the ability of capturing and recording IP network data packets,realtime data analyzing and definite content searc--hing or matching under theenvironment of the high-speed network traffic is becoming a very important problem.Thorough researchs of IDS modules are performed, and it is found that thebottlenecks lie in packet capturing and rules matching.Aimed to efficient performanceof packet capturing and rules matching, Papers on network IDS architecture, networkpacket capture module, and packet analysis and detection technology has made someimprovements.On the system's architecture, according to network protocol, massive networkdata packets are diverted to a different processing module for the data packet loadbalancing. This not only improves the IDS efficiency, also enhance the system's ownanti-attack capability. Even an analysis of a module does not work,it will not affectother analysis modules.On network data packet capture module design, This paper presents a zero-copydata packet capture platform(ZCPCP). Its main idea and the biggest advantages is theuser interface layer and the network interface layer of direct interaction, to avoidmemory copies, shorten the data packets travel path and save CPU Spending, for theupper handle more complex winning precious time.On Intrusion Detection technology, Papers combined protocol analysis technologyand pattern matching technology. The advantage is: in one hand, we can use thenetwork protocol's high degree of regularity to preprocess data packet and rapidlydetect the existence of an attack,on the other hand, we can use the pattern-matchingalgorithms to data packets load characteristics. On the basis of detailed analysis to BMpattern-matching algorithm,papers make some improvements on the BM algorithmand design a new algorithm--EBM algorithm. Compared with the BM algorithm, EBM algorithm has larger text pointer shift value, less matching number of characters. Inaddition, the paper optimizes the organizational structure of the IDS rule base.Finally, the Experiment shows that the performance of IDS has indeed been amarked improvement.