Research On IDS And Load Balancing Based On Multi-core Platform

The increase in bandwidth over processing ability has made intrusion detection forhigh-speed networks very difficult, in certain cases, impossible, so that research anddevelopment of a practical gigabit intrusion detection system (IDS) becomes a realchallenge. Today it has broad prospect to research IDS for high-speed network based onmulti-core platform, which is good at not only versatility, scalability, but also low prices.This provides an opportunity for the research of cost-effective IDS.The multi-core load-balancing algorithm, of which the load balancing, dynamicadaptability, flow damage rate and overhead should be investigated, is the keytechnology to improve the performance of IDS based on multi-core platform forhigh-speed network. In this thesis we present a framework of IDS based on universalmulti-core platform, and study on the multi-core load-balancing algorithm of it. Themain works are as following:1）We design a framework of parallel-structure IDS based on universal multi-coreplatform.After studying the shortcomings of IDS based on multi-core platform, we proposea framework of parallel-structure intrusion detection system, which uses load balancingmodules to distribute network traffic in parallel, can take advantage of multi-coreplatform, and still maintains the integrity of traditional intrusion detection program. Theframework is concise and feasible.2）We present an adaptive traffic load-balancing algorithm.We researched the current load balancing algorithm of parallel IDS, and analyzedthe requirements of load balancing algorithm of IDS based on multi-core platform.Based on the law about the threshold of flows, the number of flows and the number oftheir bytes, with the characteristic of large flows and new flows in the real Internettraffic, a novel load balancing algorithm named HCNLF is proposed. We propose theperformance indicators and the key steps and ideas of the algorithm.3）We implement a prototype of parallel-structure IDS based on current multi-coreplatform, and evaluate the HCNLF algorithm.We implement a prototype of our designed parallel-structure IDS based onmulti-core platform using the technology of PF_RING, in which we evaluate theHCNLF algorithm under a simulated network environment. The experiments conformthat the HCNLF algorithm gets much performance improvement compared with thestatic algorithm of PF_RING when the load fluctuation of traffic is irregular. Comparedwith the adjusting larger flow algorithm, although HCNLF has the same performance onload balancing metric and packet loss rate, HCNLF algorithm can use two adjustmentmechanisms flexibly, and its flow damage rate is much lower than the adjusting larger flow algorithm.The HCNLF algorithm has been applied in IDS based on current multi-coreplatform deployed at a special-purpose network, and has practical engineering value.