Design And Implementation Of Intrusion Detection Engine Based On BF-BV

With the development of network technologies,network security issues have become more and more serious.As a network security measure with active defense,Intrusion Detection System plays a vital role in protecting system security.In the Intrusion Detection System,the detection of the payload of the network packet has become one of the bottlenecks that limit the system performance.Previous system adopts software-based solution.With the rapid growth of network speed and the size of rule set,the software-based solution cannot meet the high-speed network requirements.It needs to use hardware-based solusion to complete the detection of the payload.Currently,the hardware-based solutions are implemented by using state machines or tree structures.The detection performances of these solusion depend on the characteristics of the rules,and the detection speed needs to be improved.In this paper,the BV algorithm for packet header detection is introduced into payload detection,which provides a new solution for payload detection.According to the characteristics of payload detection,the BF-BV algorithm for payload detection is proposed by combining the BV algorithm and BF algorithm.BF-BV algorithm solve the problem that BF algorithm and BV algorithm cannot be applied to the payload detection separately.Secondly,the BF algorithm in BF-BV algorithm is improved and the hardware implementation performance of the algorithm is improved effectively.BF-BV algorithm makes full use of hardware parallelism,and can achieve high detection speed,which does not depend on the characteristics of the rules.It also supports flexible updating and expansion of rule sets.The rule set of the classical intrusion detection system Snort was chosen to complete the hardware implementation of the BF-BV algorithm.The intrusion detection engine includes four parts: the filter module,the FIFO module,the control module,and the exact matching module.The filtering module uses the improved BF algorithm to quickly filter the payload,and outputs the suspected matching data information;the FIFO module is used to buffer the data generated by the filtering module;the control module generates control signal and data for the exact match module by analyzing the data information of the filtering module;the exact match module uses the improved BV algorithm to complete the exact matching of the suspected matching data and determine the intrusion type.In the functional simulation verification phase,test data generated using C language,and the simulation results of the tested design and the standard results are compared and analyzed,which shows the simulation results are accurate.Finally,the design is mapped to the FPGA and the verification platform is built.The verification results show that the detection engine can correctly detect the intrusion information,and the throughput rate can reach 4.8 Gbps.Compared with the existing methods,the performance is improved significantly.