Network Intrusion Detection System For Modern Architectures

As more and more governments and individuals connected their computer to Internet, e-government and e-business had been becoming more and more prevalent with development of Internet; network security system had become indispensable component of network architecture. NIDS (Network Intrusion Detection System) becomes the core infrastructure of corporate information security, it become a key tool of network security. However, traditional NIDS cannot apply to high wire speed network because of technical restrictions. The essay aims at accelerating the detection engine of NIDS through making use of modern architecture computer's some new features. It makes NIDS can work well at high wire speed networks.The essay reviewed the fundamental structures of NIDS firstly; discussed two types of algorithms used in detection engine; then studied two important new feature, multi-core and SIMD, of modern architecture computer. Combined with the features of detection engines; we studied the feasibility of accelerating through the two architecture's features. Then we circumstantiated the body of the essay in three aspects.Firstly we divided the rules set of NIDS which made the detection engine could work on multiple cores platform. The rules set partition algorithm for balancing the overload of each core was proposed. Then we studied the feature of memory access of detection engine, invented a local cache substitution algorithm based on SIMD instructions set, overlapped the detection computing and memory access via double buffer. All these enhancements decreased overload of memory access and maximized the parallelism of detection engine.Secondly we paralleled the detection engine at instructions set level through SIMD after the parallel algorithm control flow. New data structures of patterns set rearrangement algorithm was proposed through deeply studying SIMD instructions and memory alignment access feature. The rearrangement of patterns structure dramatically reduced the overload of memory access of detection engine.Finally a novel compression-format based pattern matching algorithm is proposed. It could detect the compressed data stream without the need of decompress the data stream completely. The algorithm decreased the repetition search of detection matching with utilizing distance code information which generated in compression. In this algorithm's implementation we proposed an SFMD based high speed hash search algorithm. Experimental results show that the proposed algorithm reduced the computing overload and then improved throughput dramatically.