The Design And Implementation Of Network-Based Intrusion Detection System Based On Libnids

As a kind of active security technique, intrusion detection system (IDS) can not only can detect the unauthorized object to intrude the system, but also can monitor the authorized object to use the system resource unlawfully. With the Internet used increasingly, more and more people attach importance to the intrusion detection system based on network (NIDS).This paper analyses rule analytic methods of current network attack methods and network intrusion detection to design the three-dimensional linked data sttucture of the rule analytic model, it should add all rule in the rulebase into corresponding place in the three-dimensional linked list.Libnids is a special-purpose programming interface which is used in the network intrusion detection. Based on this programming interface, This paper designes and realizes a simple NIIDS in the Linux platform. This system abides CIDF standard and employees the interface functions of Libnid to analyse protocol and restructure IP fragment. Libnid encapsulate a lot of popular functions for developing NIDS. The interface functions of Libnids monitor all local network communication and check packets. This system is composed of such module as following: network packet capture module, network protocol analysis module, rules analytic module, intrusion detection module, response module, worm detected model, storage module and user interface management module. The system captures the network packet to analyse protocol such as ARP , IP , TCP ,UDP , ICMP, and displays the data and stores the data according to the protocol types of packets. At the same time we designes an intrusion detection language, and realizes an intrusion detection'database for checking abnormal behaviours. An Internet worm forecasting model is established and a prototype based on forecasting algorithms is given after analyzing the behavior pattern of Internet worms. At last,we design a user friendly graphical interface using GTK+. The analysis and the experimental result indicates that the system can forecast the unusual network behavior.We designed the six test cases to test the feasibility of intrusion detection system and the efficiency of detection. The results show that in the current network environment, the system can identify attacks of network and report warnings effectively.