Policy-based Script Gigabit Intrusion Detection System Core Technology Research

Intrusion detection systems (IDSs) have become increasingly more sophisticated as an approach for network security protection over the last several decades. However, resent IDSs have been unable to provide proper analysis or an effective security mechanism for defending attacks under mega-bits network environment because of several limitations. Based on Common Intrusion Detection Framework (CIDF) and Network-Based Intrusion Detection System (NIDS) standards, we presents a novel intrusion detection system called Gigabits IDS (GIDS) to improve the detection speed and accuracy which ensures for monitoring high speed network. The GIDS consists of data capture module, event generation engine, policy script interpreter and intrusion prevention module. The paper is organized as follows:(1) Combine Zero-copy and Device Polling mechanism with Libpcap to capture data packet which proven to be more efficiency.(2) Event generator module adopts dynamic protocol detection to determine protocol type and connecting state, this provides policy script analysis for different events. Besides, GIDS permits users to define signature collections with typical attack features, events are generated by comparison of attack signatures to the network data stream, and regular expression is adopted to improve the description ability of signatures.(3) Policy scripts are interpreted and executed by policy script interpreter; the scripts are coded in GIDS Script language which is implemented with Flex and Bison to provide more flexible detection logic. Both policy script analysis and regular expression matching are all aimed at procession of packets reassembled from a whole session to realize fine grit detection which can improve the accuracy of intrusion detection.(4) By sending fake RST packets and linking with firewall access control list (ACL), the intrusion prevention module is constructed to block intrusion activities in time to relieve the workload of administrators and reduce user interactive work.At last, the performance of GIDS is tested through CUP occupancy, memory usage rate, system' throughput and loss tolerance, results show GIDS is strengthen than other IDSs.