Analysis And Design Of Intrusion Detection System For High-Speed Network

Intrusion detection system plays an important role in protecting the security of computer systems and the Internet, which is an active means of defense. Intrusion detection system can detect the network conditions and monitor network traffic and activity in real-time, and then it can alarm the administrator and record the information to the database. On this basis, the IDS can generate logs by analyzing the intrusion activities and audit data, which can prevent such attacks. As a real-time active defense system, the IDS can be installed on any node in the network. Different placement can be adapted to the different network structures, which can form a three-dimensional depth of the defense system. However, with the rapid growth of the network bandwidth, network traffic increased dramatically. The capability of packet capture and processing under high-speed network environment has become the bottleneck in the development of the IDS and network security technology.This paper analyzes the bottleneck in high-speed network intrusion detection system and redesigns the packet capture module and data processing module, which makes the IDS can be adapted to the high-speed network. This paper improves the efficiency of the IDS mainly by the following means.1. As the NIC works in the kernel of the operating system, so when the NIC received the packets, the packets will be stored in the kernel space. But the application such as IDS works in user space, and the application can not visit kernel space. Therefore, before the packets being processed, they should be copied to the user space, which generates memory copies and system calls and reduces the efficiency of the system. In this paper, we use zero-copy idea and modify the NIC driver, which can transfer packets directly to the user space from NIC. Zero copy can reduce the number of data copy and context switch between kernel and user mode, which finally reduce the load of CPU.2. In order to make the upper data processing more efficient, in this paper we introduces the load balance mechanism, so that every processing engine has the same amount of load. Load balancing used in IDS can be divided into the rule-based multi-detectors load balancing mechanism and the stream-based multi-detectors load balancing mechanism. By analyzing the characteristics of IDS, this paper designs a network stream based and multi-threads load balancing mechanism. In this mechanism, different stream is assigned to different processing thread, so as to achieve load balancing purpose.3. In the data detection part, the packets will be preprocessed first. Preprocessing is mainly response for the restructuring of the different data streams, which is implemented by Hash table. Then the rule linked list formed by parsing the rule file. This paper uses AC multi-pattern matching algorithm to accomplish packets feature matching.