Design And Implementation Of Network Security Audit System Based On NDIS Deep Packet Inspection

Abstract:There are More and more intrusion phenomena of Internet intrusion especially for the invasion of the application layer. The network security audit system brings the core function of the firewall from the network layer to the application layer. The auditing for application layer led to the birth of deep packet inspection technology. Deep packet inspection technology not only detects the packet header but also goes thorough payload, and the same time, it finds the hidden feature. Therefore, deep packet inspection technology based on application layer can be more accurate in identifing different network behaviors.Regular expressions have powerful and flexible expression ability which string does not have, it can express complex features accurately. Thus, people use regular expression for match instead of the traditional deep packet inspection algorithms, such as KMP, AC, BM etc. NFA and DFA can realize regular expression matching. DFA is more useful than NFA in network application fields. With the expansion of the rule feature library and the widespread use of ".*" and "{}" operator, DFA has memery explosion and performance degradation problems.Then, this paper analyzed the reasons of the DFA memery explosion in detail. On the base of deep research and analysis of existing DFA optimization technologies, we proposed HCADFA grouping algorithm. We emulated the memery explosion by the newest rules of L7-filter. Compared with the mDFA algorithm, on the one hand, HCADFA could get lesser groups in the case of the same memry limited. On the other hand, it has better storage performance with the same groups. HCADFA is present to improve practicability of deep packet inspection. In addition, this paper presents a memory model which is suitable for rule feature library in application layer. This model can reduce the storage of DFA’s graph and the number of states.Finally, this paper designed and implemented a network security audit system named ENAuditSys by using HCADFA grouping algorithm as the core module matching strategy. Analysis of the results showed that ENAuditSys achieve the desired purpose. It can audit the Intranet Internet behavior or abnormal behavior of each machine within an acceptable range of the impact on network performance.This paper has31Figures,14Tables,62References.