Improving The Efficiency Of Intrusion Detection By Dynamic Rule Set And Protocol Analysis

With the popularization of the network and the increasing of hackers, network security becomes more and more important. Intrusion detection, a measure for monitoring the system security, is becoming one of the most important technologies for maintenance of network security.Usually, intrusion detection system gathers data packet then matches the pattern, if the matching successful, it shows that the intrusion has happened. Along with the development of the network and intrusion, it has to increase some rules to perfect the rule set. The inflation of rule set and the increase of network bandwidth, make the system can not handle with every data packet, it has to drop some data packets and fail to report the intrusion in that dropped packet, so it causes the rate of fail-report becoming increased. This is the bottle-neck of intrusion detection system.For solving this bottle-neck and lowering the rate of fail-report, base on the dynamic rule set and protocol analysis, we designed an event analyzer on the principle of Common Intrusion Detection Framework. A dynamic rule adjustment strategy is established, it can acquire the current network bandwidth and the system capability, then adjust the scope of rule set according to some homologous strategy, combined with the protocol analysis, it also classifies the rule set, so it can decrease the scope of rule set of the pattern matching. In the process of pattern matching, according to the probability mechanism, it matches those rule which appear frequently firstly, then matches those rule which appear seldom secondly, so it can reduce the average match time of the data packet. It can make system resources be made best use, it also makes intrusion detection system get better performance at current network bandwidth.Combined with snort which is a small intrusion detection system, that event analyzer is realized, and the archetypal system is given. At last, we test this archetypal system and draw a conclusion that using dynamic rule set and protocol analysis can improving the efficiency of intrusion detection .