The Design And Implementation Of Network Anomaly Detection Platform Based On Behavioral Characteristics

With the rapid development of the Internet, the computer network has become an important national economic base and lifeline. However, in recent years, the sharing and openness of computer networks brings us a lot of convenience and efficiency, but it also brings a variety of problems result in global Internet security events happened frequently. Traditional network security and defense policy includes firewall, data encryption, authentication, access control and system reinforcement, those are static defensive approach. However, with the continuous development of intrusion technology, attacks become more complex and diverse, static security defense system has been unable to meet the needs of the current security situation.Intrusion detection as a proactive security protection technology, can monitor the protected network. Because of the packers of Trojan horse and Anti-Anti Virus technology growing fast makes Trojan horses update fast and difficult to be found. In the process of communication between Trojan client and Trojan server, there are some obvious features and communction characteristics can be found and detected. Compared to the simple pattern matching techniques, analytical techniques based on behavioral characteristics on the detection of Trojan, can identify potential unknown network threats and having a broader outlook.In this paper, a NIDS is implemented to detect Trojan and other abnormal network traffic using communction characteristics, it deployed in the enterprise gateway to monitoring enterprise traffic and protect the enterprise network security. It based on the TCP / IP protocol stack, in each layer extract characteristics in that layer. After the above process constitutes a multi-dimensional set of features which characterization a network session. Since the intrusion detection system dependent on rules to detect, we design a powerful description language to help users quickly build and update the rule base, enabling the system to adapt to newly discovered network attacks. In addition, because the system deployed in high-speed network, we design and implement fast search algorithm using zero-copy technology and multi-threading technology to improve the efficiency of the system statistics and analysis. Using open source library such as Libnids and Libpcap to quickly complete the network packets processing. Libnids has layered invocation framework, based on it we can use DPI protocol identification technology identify application layer protocol by way of plug-in.The detection platform based on behavioral characteristics is modular, high performance, scalable and flexible. After the system has been tested, the accuracy, availability and performance of the system are all meet expectations. The system will eventually be deployed in the enterprise gateway, is of great significance for the protection of the corporate network.