Research And Design Of Network Intrusion Detection System Based On Protocol Analysis

With the continuous development in computer and network technology, network security problems have caused more and more attention. Traditional security technologies can’t meet the requirements of network security, and intrusion detection technology comes into being as a new active defense technology.This thesis first introduces basic concepts of intrusion detection technology, points out the advantages and disadvantages of pattern matching technology which is mature and used widely now, and then leads to a new generation of intrusion detection technology--protocol analysis technology. After introducing two detection methods of protocol analysis technology in detail, we design and implemente an intrusion detection system based on protocol analysis. It includes data packet capture module, preprocessing module, protocol analysis and detection module, rule base, response module and storage module. This system dose protocol analysis on captured data packets, extracts valid data, finds out the suspicious or aggressive behaviors by comparing with specific attack rules, records and makes responses to the results. This thesis improves an IP reassembly algorithm based on splay tree and introduces a fast and lossless TCP stream reassembly algorithm. They realize a highly efficient and secure pretreatment on data packets and lay a foundation for the system’s rapid processing. The protocol analysis and detection module is implemented by simple protocol analysis and stateful protocol analysis. After research and analysis on the TCP protocol’s conversion relation, we design the TCP stateful protocol analysis module which could detect abnormal behaviors and succeeds in detecting TCP SYN Flooding.At last, the test results indicate the intrusion system based on protocol analysis with the improved IP reassembly algorithm and the fast and lossless TCP stream reassembly algorithm improves the detection accuracy and efficiency and has a lower false positive rate and false negative rate.The performance has been significantly improved.