| In the network traffic based intrusion detection systems, packet header processing engine usually is a bottleneck for system performance. In a real-time application environment, the reliability of the final intrusion detection outcome relies on the speed and stability of the packet header processing engine. The major responsibilities of data packet header processing engine are the multiplexing and aggregation of the packets: multiplexing is used to locate the current packets to the corresponding sessions, and aggregation is used to accumulate all statistics by hosts.In order to improve the speed and stability of the packet header processing engine, network traffic is classified logically, and an efficient multiplexing and aggregation algorithms are given for each type of network traffic. Two sets of static memory pools are used to improve the system stability. The engine is a producer and the data produced are placed into memory pool A. When the timing semaphore is triggered, the engine switches to another pool, pool B, and continues to place new data into pool B. At the same time, the intrusion analyzing module as a consumer uses the data from pool A. Two sets of memory pool alternate with the timing signals, and the threads and modules corresponding to the engine are synchronized with mutexes and condvars.On the basis of the detailed analysis of the network data traffic properties, the network packet header processing engine is designed and a complete solution is presented, including the design methodology and process. The interfaces to the network intrusion analysis module are also given. |
PDF Full Text Request