Research On Performance Optimization Of Intrusion Detection System Based On Cooperation Of Hardware And Software

With the rapid development of the Internet,the number of network users is increasing quickly,while the situation of network security is becoming more and more serious,and malicious programs in the network are spreading more and more widely.In order to strengthen the protection for computers,more and more intrusion detection systems are deployed in the network to provide users with a safe and reliable Internet access environment.Speeding up intrusion detection is a severe challenge when facing the rapid growth of network bandwidth.Traditional intrusion detection systems often do optimize and improve work at the software algorithm level.In recent years,the emerging hardware platforms and technologies such as multi-core processors,NUMA system and Intel QuickAssist Technology bring new opportunities for implementing high-performance intrusion detection systems.This article mainly studies at how to combine hardware and software to break through the bottlenecks of each module of the intrusion detection system and to improve the overall performance.Firstly,aiming at the inefficiency of compressed data processing in intrusion detection system,a self-adaptive stateful decompression architecture combined with hardware and software named SASD is proposed.SASD can speed up the efficiency of GZIP decompression in decoding and preprocessing module of intrusion detection system.The experiments demonstrate that,the use of SASD can save more than twice processing time than use pure software algorithm.Secondly,snort use the three-dimensional linked list to organize the rule set,which,make the engine to detect data by traversing the tree and bring the performance bottleneck of the intrusion detection system.We purpose a vertical rule set organization method to support parallel detection.The experiments show that the overall processing capability of an intrusion detection system is more than 4 times comparing with Snort especially when loading large rule sets.Finally,in view of the traditional single-process intrusion detection system cannot make full use of multi-core processor NUMA system,we evaluate the parallel mode of intrusion detection system under multi-core NUMA architecture and propose an optimization method.Experiments show that,in the real packet traces,with the optimization method,intrusion detection system can get a 17%performance increase.