Research And Implementation Of Real-time Intrusion Detection System For High Speed Network Environment

With the development of Internet technology, network application has been improved and popurized continuously and it brings convenice to people's life. But in the meantime, it also provides an opportunity for those awbreakers who utilize the network to carry on the illegal behavior. A single firewall technology have been unable to completely resist all network intrusion and attack. With the network environment becoming complex and attack methods emerging in an endless stream, intrusion detection system makes up for the deficiency of firewall greatly in network secuirty. However, with the development of optical fiber technology, network bandwidth is increased rapidly and the traditional intrusion detection system based on the real-time anlysis of packets is unable to adapt to current high speed network. In view of the above background,. this thesis studies and implements a real-time intrusion dectecion system for higg-speed network with the view of how to process packets and discover intrusion behavior efficiently and rapidly.The main work of this thesis is as followng:(1) Make requirements analysis for real-time intrusion dectection system for high speed network combined with application scenarios. Design functions for high speed packet capture?intrusion detection?multi-core scheduling?data processing and alarm displaying.Establish the structure of system ? the division of system function module and the workflow .(2) Sum up the defects of traditional packet capture technology Libpcap+NAPI are caused by frequent system calls?interrupt livelock and copy packet many times by studying three kinds of packet capture technology Libpcap+NAPI?PF_RING and DPDK. Compare the high speed packet capture technology PF_RING and DPDK. Design and implement a high speed packet capture mechanism based on DPDK.(3) According to the traffic characteristics and the attack characteristics of the common DDoS CC, SYN Flood and web application attacks, design and implement a rule engine suitable for high speed network intrusion dectection system by analysing unpacked packet according to the OSI networking model, doing key information statistics and using Hyperscan,a high speed regular matching engine, to match the application layer content.(4) Test and verify that the system has the ability to analyze and process packets in real time and to discover the intrusion behavior effectively under the high speed network environment.