Research On Some Key Technologies For High-Speed Network Intrusion Detection Systems

With the rapid development of network technology, the growing network attack mode puts forward higher requirements to the NIDS (network intrusion detection systems), the single-host IDS(intrusion detection systems) unable to meet the requirements of high-speed networks any more high-speed networks, and hierarchical and distributed IDS become a research focus.In this dissertation, aiming at the problem of high-speed NIDS, Firstly, the dissertation proposed a model for the processing of high-speed NIDS, and then studied some key technologies, such as high-speed data capture, application-level protocol identification and adaptive load distribution. Finally, implemented the model using the model use embedded computing platform which is based on ATCA standards. Research results have been applied in Chinese Academy of Sciences "XX major project".On the basis of analysis of NIDS, dissertation proposedt a HNIDS model which is an Extensible distributed parallel processing model. This model adopts the hierarchical structure that the front-end is responsible for simple data processing and the back-end is responsible for time-consuming intrusion detecting. EDPPM model has good scalability and high throughput, at the same time, it meets the requirement of high-speed IDS.According to the problem of protocol identification in intrusion detection system, this paper puts forward a method for application-level protocol quickly identificating. This method uses port recognition algorithm witch divides network session into long cache sessions and short cache session. Long cache session is used to identify more complex protocol, relatively short cache is used to identify simple protocol. This method can eliminate the disadvantages of accumulated matching way. After the comparision and analysis of the pattern matching algorithm, this method adopts AC multiple pattern matching algorithm for pattern matching. The experiment shows that this method can effectively enhance the throughput of the protocol recognition, and have obviously improved the accuracy compared with L7-filter. This dissertation which is based on protocol classification and the minimum weighted entropy priority (minimum weighted entropy first), for the demand of load balancing in EDPPM hierarchical model, proposed a dynamic load balancing algorithm. The data source of this algorithm is the data flow which is classified by the application protocol. Algorithm uses the static allocation and dynamic allocation which is based on probe load. under the premise that ensure the integrity of the session, the algorithm balance the load of each probe, these strategies are suitable for high speed environment of network intrusion detection system.