The Optimization And Realization Of High Performance IDS

Due to the continuous expansion of the network size, and the increasement of the network traffic, the traditional IDS(instrusion detection systems) encounter many performance bottlenecks and deficiencies in high-speed network environment, which can be mainly manifested in the following two aspects. Firstly, current IDS based on application layer is relatively stable, but they are so dependent on packet capture tools just as libcap or winpcap, that the packet capture rate is low and packets loss is serious. The IDS that work in drive layer have a good performance in packets capturing, but most of them are designed on Netfilter framework and a large number of drivers run in the kernel space, so even a simple bug may cause a crash in the kernel. Secondly, with the development of multi-core processors, the performance of NIDS(network IDS) doesn’t increase much with the increase of processing units, mainly because each CPU preempts public resources, resulting a lot of locking and wait.In this paper, we propose a optimization method to design a IDS with high performance and stability based on the research and analysis of IDS. The optimization includes two aspects. On one hand, a zero-copy and no lock queue parallel process mechanism is presented. It constructs a group of parallel processing queues, that built in Linux kernel and mapped to application layer process address space through zero-copy. Therefore, no lock exists in packets receiving and sending of network cards. On the other hand, we bulid an AppNetfilter in the application layer for a high expansibility. AppNetfileter provides the establishment, maintenance and destruction of connection tracking, at the same time it builds a business hooks callback framework. AppNetfilter is an application layer hooks callback framework just like Linux kernel’s Netfilter, and it is bound with CPU and makes process as the unit of parallel processing.We implement our scheme on the kernel of linux(version3.0.9) and test it in network with the speed of2Gbps. The results show that our IDS has a good performance in improving data processing, reducing CPU utilization and enhancing system stability.