The Optimization Research Of Intrusion Prevention System Based On Snort

Nowadays, the fast growing of the information technology, especially the rapid development of the internet has brought much convenience to the life of people. However, with the growing popularity of the various types of network applications, it also provides much more opportunities to the network attackers. In recent years, network intrusion is in an increasing trend, the losses caused by the intrusion are incalculable. Intrusion prevention technology is designed for the prevention of all types of network attacks, which combines the function of firewall and intrusion detection technologies. It can both conduct in-depth network packet attack detection, and prevent the attacks in time. Currently, the bottleneck of intrusion prevention system is mainly in network latency and packet losing. Since the intrusion prevention system is in the form of series connected to the backbone network, so once larger network latency or packet loss occurs, it will have a serious impact on the normal network access to users, so how to improve the performance of intrusion prevention system, reduce network delay, increase system throughput, is an urgent problem to be solved.In this thesis, we first deeply analyzed Snort,which is an open source intrusion detection system, and developed an intrusion prevention system based on Snort. Among this system, the Abuse Detection module is mainly ported by the core detection engine of Snort. And we did unit tests on this prototype system, found out the performance bottleneck, and did some improvements on these related parts of the system as belows:1) Based on the analysis of the core detection engine and detection process of Snort, we implemented an “Activity based rule chain priority dynamically adjustment program”. By the comparing of the testing results, it has been proved that the program works much better under the environment of “large and sustained attack happens”.2) Secondly, we proposed an improved multi-pattern matching algorithm, based on the annlysis of the BM algorithm and AC algorithm, both of which are the current version of pattern matching algorithms used in Snort. According to the testing results, the algorithm that proposed in this thesis is of better performence than the old one in Snort.3) Finally, based on the multi-core platform, we proposed a “concurrent detection engine model based on multicore platform”, which is aming for maximizing the use of each processer in the muti-core CPU. According to the test results on the 8-core hardware platform, it shows that the model proposed here can effectively improve the thoughput of the system, and so as the detection performance of the overall system.At last, we applied the 3 kinds of improvement programs into the intrusion prevention system, combined with some other functional modules of the system, then we did some overall test, the results show that the improved system is of much better performance.